System and method for below-operating system trapping and securing loading of code into memory

ABSTRACT

A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.

TECHNICAL FIELD

The present invention relates generally to computer security and malwareprotection and, more particularly, to a system and method forbelow-operating system trapping and securing loading of code intomemory.

BACKGROUND

Native operating system services can prevent security software frominstalling arbitrary hooking within the kernel of operating systems.Security software is thus prevented from filtering all behaviors of anelectronic device, including potentially malicious actions by malware.Malware may include, but is not limited to, spyware, rootkits, passwordstealers, spam, sources of phishing attacks, sources ofdenial-of-service-attacks, viruses, loggers, Trojans, adware, or anyother digital content that produces malicious activity.

The filtering functionality provided by the operating system may belimited, and only available on timelines decided by the operating systemvendor. Malware can operate and reside at the same level as securitysoftware, particularly in the operating system kernel and thuscompromise both the operating system and the integrity of the securitysoftware itself.

Many forms of aggressive kernel mode malware tamper with user modememory to accomplish malicious tasks such as injecting malicious codedynamically, modifying user mode code sections to alter execution pathsand redirect into malicious code, and modify user mode data structuresto defeat security software. Additionally, some malware may attackanti-malware applications and processes from the kernel by tamperingwith process memory code and data sections to deceive the detectionlogic.

Kernel mode rootkits and other malware employ various methods to hidetheir presence from user mode applications and kernel mode devicedrivers. The techniques used may vary depending upon where the infectiontakes place. For example, malware attacking the kernel active processlist of an operating system to delist or unlink a rootkit or othermalware process. Other malware may tamper with the code sections ofprocess access and enumeration functions.

SUMMARY

In one embodiment, a system for protecting an electronic device againstmalware includes a memory, an operating system configured to execute onthe electronic device, and a below-operating-system security agent. Thebelow-operating-system security agent is configured to trap an attemptedaccess of a resource of the electronic device, access one or moresecurity rules to determine whether the attempted access is indicativeof malware, and operate at a level below all of the operating systems ofthe electronic device accessing the memory. The attempted accessincludes attempting to write instructions to the memory and attemptingto execute the instructions.

In another embodiment, a method for protecting an electronic deviceagainst malware includes trapping an attempted access of a resource ofan electronic device and accessing one or more security rules todetermine whether the attempted access is indicative of malware. Theattempted access includes attempting to write instructions to a memoryof the electronic device, the memory comprising the resource andattempting to execute the instructions. The trapping of the attemptedaccess and determining whether the attempted access is indicative ofmalware are conducted at a level below all of the operating systems ofthe electronic device accessing the memory.

In yet another embodiment, an article of manufacture includes a computerreadable medium and computer-executable instructions carried on thecomputer readable medium. The instructions are readable by a processor.The instructions, when read and executed, cause the processor to trap anattempted access of a resource of an electronic device and access one ormore security rules to determine whether the attempted access isindicative of malware. device, The attempted access includes attemptingto write instructions to a memory of the electronic device, the memorycomprising the resource and attempting to execute the instructions. Theprocessor is configured to conduct the trapping of the attempted accessand determining whether the attempted access is indicative of malware ata level below all of the operating systems of the electronic deviceaccessing the memory.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, and theadvantages thereof, reference is now made to the following writtendescription taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 is an example embodiment of a system for protecting an electronicdevice from malware;

FIG. 2 is an example embodiment of a system for avirtual-machine-monitor-based and security-rule-based configurablesecurity solution for protecting an electronic device from malware;

FIG. 3 is an example embodiment of a method for virtual machinemonitor-based protection for an electronic device from malware;

FIG. 4 is an example embodiment of a firmware-based andsecurity-rule-based system for protecting an electronic device frommalware;

FIG. 5 is a more detailed view of an example embodiment of afirmware-based solution for protecting an electronic device frommalware;

FIG. 6 is an example embodiment of a method for firmware-basedprotection for an electronic device from malware;

FIG. 7 is an example embodiment of a microcode-based system forprotection of an electronic device against malware;

FIG. 8 is an example embodiment of a method for microcode-basedprotection for an electronic device from malware;

FIG. 9 is an example embodiment of a system for regulating softwareaccess to security-sensitive processor resources on an electronicdevice;

FIG. 10 is an example embodiment of a processor resource controlstructure;

FIG. 11 is an example embodiment of a method for regulating softwareaccess to security sensitive processor resources of an electronicdevice;

FIG. 12 an example embodiment of a system for regulating software accessfor securing memory using below-operating system trapping on anelectronic device;

FIG. 13 is an illustration of example embodiments of memory maps;

FIG. 14 is an example embodiment of a method for securing memory usingbelow-operating system trapping of attempted access of an electronicdevice;

FIG. 15 is an example embodiment of a system for below-operating systemtrapping and securing loading of code into memory;

FIG. 16 is an example illustration of how injected code may be gatheredby an application to place inside a memory for execution;

FIG. 17 a shows an example illustration of the loading of an image of anapplication from disk to memory;

FIG. 17 b shows an example illustration of possible actions conductedafter an image of an application is loaded in memory;

FIG. 18 illustrates an additional example of malicious attacks onswapped content to inject code;

FIG. 19 is an example embodiment of a memory map after a portion ofmemory has been determined to be malicious; and

FIG. 20 is an example embodiment of a method for below-operating-systemtrapping of loading and executing of code in memory.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 is an example embodiment of a system 100 for protecting anelectronic device from malware. System 100 may include a below-operatingsystem (“O/S”) trapping agent 104 communicatively coupled to a triggeredevent handler 108. Below-O/S trapping agent 104 may be configured totrap various attempted accesses of a resource 106 of an electronicdevice 103. Below-O/S trapping agent 104 may be configured to create atriggered event associated with the trapped attempted access, and tosend the triggered event to a triggered event handler 108. Triggeredevent handler 108 may be configured to consult one or more securityrules 114 or a protection server 102 to determine how to handle thetriggered event. Triggered event handler 108 may also be configured toevaluate the triggered event's propensity to be an indication ofmalware, or a malicious attempt to subvert the resources or operation ofelectronic device 103. Furthermore, triggered event handler 108 may beconfigured to provide a determination to below-O/S trapping agent 104 ofwhether the triggered event should be allowed or denied, or may beconfigured to yield another corrective action.

Below-O/S trapping agent 104 may be implemented at a lower functionallevel than the operating systems in electronic device 103. For example,below-O/S trapping agent 104 may intercept attempted accesses ofresource 106 by an operating system 112, a driver 111, or an application110. Below-O/S trapping agent 104 may be running on a processor ofelectronic device 103 without use of an operating system. In oneembodiment, below-O/S trapping agent 104 may be operating on abare-metal environment or execution level. In addition, below-O/Strapping agent 104 may be running at a higher execution priority, asdefined by a processor of electronic device 103, than all operatingsystems of electronic device 103. For example, in the context of ahierarchical protection domain model using protection rings, wherein alower number represents a higher priority, operating system 112 may beoperating at “Ring0” while below-O/S trapping agent 104 may be operatingat “Ring −1.” Drivers 111 and applications 110 may be operating at“Ring0” or “Ring3.” In some embodiments of processors, the concept of“Ring −1” may be known as “Ring0 privileged mode,” and the concept of“Ring0” may be known as “Ring0 non-privileged mode.” Operation in “Ring−1” or “Ring0 privileged mode” may entail additional overhead andexpense than “Ring0” or “Ring0 privileged mode.” Operating systems ofelectronic device 103 may run at Ring0.

Below-O/S trapping agent 104 may operate transparently to entitiesrunning at Ring0 or higher. Thus the attempted access of resource 106may be requested by operating system 112 or another entity in the samemanner whether below-O/S trapping agent 104 is present or not. Below-O/Strapping agent 104, when enforcing a received action, may allow therequest to happen, may deny the request, or take other correctiveaction. To deny the request, below-O/S trapping agent 104 may simply notpass the request to the resource 106 or processor, or may provide aspoofed or dummy reply to the request to convince operating system 112that the action has occurred.

By running at “Ring −1,” at a higher priority than the pertinentoperating systems of electronic device 103, or below the pertinentoperating systems of electronic device 103, below-O/S trapping agent 104may avoid much of the malware that plagues operating systems such asoperating system 112. Malware may trick operating system 112 or evenanti-malware software running at “Ring0,” as malware may also be runningat “Ring0” priority. However, malware on electronic device 103 muststill make requests of resource 106 if it is to carry out maliciousactivities. Thus, trapping operations linked to sensitive resources maybe better accomplished by a trapping agent running below the level ofoperating systems in electronic device 103.

Below-O/S trapping agent 104 may be implemented in any suitable manner.In one embodiment, below-O/S trapping agent 104 may be implemented in avirtual machine monitor. Such an embodiment may operate below the levelof operating systems as described for below-O/S trapping agent 104.Descriptions of an example of such an embodiment may be found in, forexample, discussions of FIG. 2, below, of a security virtual machinemonitor 216. In another embodiment, below-O/S trapping agent 104 may beimplemented in firmware. Such an embodiment may operate below the levelof operating systems as described for below-O/S trapping agent 104.Descriptions of an example of such an embodiment may be found in, forexample, discussions of FIGS. 4 and 5, below, of a firmware securityagent 440, 516, or PC firmware security agent 444. In yet anotherembodiment, below-O/S trapping agent 104 may be implemented inmicrocode. Such an implementation may operate below the level ofoperating systems as described for below-O/S trapping agent 104.Descriptions of an example of such an embodiment may be found in, forexample, discussions of FIG. 7, below, of a microcode security agent708. Below-O/S trapping agent 104 may be implemented in a combination ofthese embodiments.

Triggered event handler 108 may be embodied by one or more eventhandlers or security agents communicatively coupled together. Triggeredevent handler 108 and below-O/S trapping agent 104 may be implemented inthe same security agent. In one embodiment, triggered event handler 108may be operating at the same priority ring as below-O/S trapping agent.In another embodiment, triggered event handler 108 may be operating atthe same priority as operating system 112, driver 111, or application110. In still yet another embodiment, triggered event handler 108 may beimplemented by two or more triggered event handlers wherein at least onetriggered event handler operates at the same priority ring as below-O/Strapping agent, and at least one triggered event handler operates at thelevel of operating system 112, driver 111, or application 110. Byrunning at the level of below-O/S trapping agent 104, triggered eventhandler 108 may similarly avoid the problems of “Ring0” or “Ring3”malware infecting the agent itself. However, a triggered event handler108 running at “Ring0” or “Ring3” with operating system 112, driver 111,or application 110 may be able to provide context information about anattempted access of resource 106 that may be unavailable from theviewpoint of “Ring −1” agents.

Triggered event handler 108 may be implemented in any suitable manner.In one embodiment, triggered event handler 108 may be implemented in avirtual machine monitor or virtual machine monitor security agent. Suchan embodiment may operate below the level of operating systems asdescribed for triggered event handler 108. Descriptions of an example ofsuch an embodiment may be found in, for example, discussions of FIG. 2,below, of a security virtual machine monitor 216 or security virtualmachine monitor security agent 217. In another embodiment, triggeredevent handler 108 may be implemented fully or in part in firmware. Suchan embodiment may operate below the level of operating systems asdescribed for triggered event handler 108. Descriptions of an example ofsuch an embodiment may be found in, for example, discussions of FIGS. 4and 5, below, of a firmware security agent 440, 516, or PC firmwaresecurity agent 444. Triggered event handler 108 may also be implementedin the below-O/S agent 450 in FIG. 4, which may itself be implemented insuch ways as in a virtual machine monitor, firmware, or microcode. Inyet another embodiment, triggered event handler 108 may be implementedin microcode. Such an implementation may operate below the level ofoperating systems as described for triggered event handler 108.Descriptions of an example of such an embodiment may be found in, forexample, discussions of FIG. 7, below, of a microcode security agent708. Triggered event handler 108 may also be implemented in thebelow-O/S agent 712 of FIG. 7, which may itself be implemented in suchways as in a virtual machine monitor, firmware, or microcode. Triggeredevent handler 108 may be implemented in a combination of theseembodiments.

In one embodiment, below-operating system trapping agent 104 and/ortriggered event handler 108 may operate in a bare metal layer ofelectronic device 103. Below-operating system trapping agent 104 and/ortriggered event handler 108 may operate without use of an operatingsystem between them and the resource 106 that they are configured toprotect. The resource 106 may include a processor, features of theprocessor, memory, the entities residing in the memory such as datastructures, or the entities residing in the memory for execution by theprocessor such as functions, processes, or applications. Below-operatingsystem trapping agent 104 and/or triggered event handler 108 may operatedirectly on the hardware of electronic device 103. Below-operatingsystem trapping agent 104 and/or triggered event handler 108 may notrequire the use of an operating system such as operating system 112 toexecute nor gain full access to resource 106.

Other operating systems may exist on electronic device 103 which do notparticipate in the relationship between entities at the level operatingsystem 112, below-operating system trapping agent 104 and triggeredevent handler 108, and resource 106. For example, a pre-boot operatingsystem may securely launch portions of electronic device, but notparticipate in the normal operation of electronic device in terms ofhandling requests from application 110, driver 111, and operating system112 made of resource 106. In another example, electronic device 103 maycontain motherboard components, plug-in cards, peripherals, or othercomponents which contain their own sets of operating systems andprocessors to perform functions outside of the relationship betweenentities at the level operating system 112, below-operating systemtrapping agent 104 and triggered event handler 108, and resource 106.These operating systems may be embedded operating systems. Any of theseoperating systems might not be used for the execution of below-operatingsystem trapping agent 104 and triggered event handler 108. Further, anyof these operating systems might not access the resource 106 protectedby trapping agent 104 and triggered event handler 108.

System 100 may include any combination of one or more below-operatingsystem trapping agents 104 and one or more triggered event handlers 108.Descriptions of the below-operating system trapping agents 104 andtriggered event handlers 108 may be found in descriptions of trappingagents, event handlers, and security agents in the figures that follow.

Resource 106 may include any suitable resource of an electronic device.For example, resource 106 may include registers, memory, controllers, orI/O devices. Descriptions of example embodiments of resource 106 may befound in descriptions of, for example, the system resources 214 of FIG.2, components such as display 430 and storage 432 as shown in FIG. 4, orthe system resources 724 of FIG. 7 below.

Security rules 114 may include any suitable rules, logic, commands,instructions, flags, or other mechanisms for informing below-O/Strapping agent 104 about what actions to trap, or for informingtriggered event handler 108 to handle an event based on a trappedaction. Triggered event handler 108 may be configured to provide one ormore of security rules 114 to below-O/S trapping agent. Descriptions ofexample embodiments of some or all of security rules 114 may be found,for example, in descriptions of security rules 222 of FIG. 2, securityrules 422, 434, 436, 438 of FIG. 4, security rules 518 of FIG. 5, orsecurity rules 707, 723 of FIG. 7 below.

Kernel mode and user mode entities such as application 110, driver 111,and operating system 112 of system 100 may be implemented in anysuitable manner. Descriptions of example embodiments of application 110,driver 111, and operating system 112 of system 100 may be found indescriptions of, for example, application 210, driver 211 and operatingsystem 212 of FIG. 2; application 410, driver 411, and operating system412 of FIG. 4; and application 709, driver 711, and operating system 713of FIG. 7 below.

Electronic device 103 may be implemented in any suitable manner, such asin a computer, a personal data assistant, a phone, mobile device,server, or any other device configurable to interpret and/or executeprogram instructions and/or process data. Descriptions of exampleembodiments of electronic device 103 may be found in discussions of, forexample, electronic device 204 of FIG. 2, electronic device 404 of FIG.4, or electronic device 701 of FIG. 7.

System 100 may be implemented in any suitable system for trappingattempted access of resources at a level underneath the operatingsystems of electronic device 103. System 100 may also be implemented inany suitable means for handling the attempted access by consultingsecurity rules to determine whether the attempted access is malicious ornot. For example, system 100 may be implemented by the systems andmethods 200, 300, 400, 500, 600, 700, and 800 as described in FIGS. 2-8below.

FIG. 2 is an example embodiment of a system 200 for avirtual-machine-monitor-based and security-rule-based configurablesecurity solution for protecting an electronic device from malware.System 200 may be an example embodiment of a system 100, implementingcertain elements of system 100 in a virtual machine monitor. System 200may include an electronic device 204 which is to be protected againstmalware by a configurable security solution. The configurable securitysolution of system 200 may include a security agent running below alloperating systems, a security virtual machine monitor, a cloud-basedsecurity agent and an in-O/S behavioral security agent. The below-O/Ssecurity agent and security virtual machine monitor may be configured toguard access to system resources of the electronic device 204, includingthe resources used by the in-O/S behavioral security agent. Thebelow-O/S security agent may be running in the security virtual machinemonitor. The cloud-based security agent may be configured to providemalware detection information to the below-O/S security agent and to thein-O/S behavioral security agent, and to receive information regardingsuspicious behavior possibly-associated with malware from the securityvirtual machine monitor and in-O/S behavioral security agent. The in-O/Sbehavioral security agent may be configured to scan the electronicdevice 204 for evidence of malware operating on the electronic device.System 200 may include one or more below-O/S security agents configuredto trap attempted use of access to the resources of the electronicdevice 204, generate a triggered event corresponding to the attempt,consult security rules regarding the triggered event, and takecorrective action if necessary regarding the attempt.

In one embodiment, system 200 may include protection server 202communicatively coupled to one or more in-O/S security agents 218 and asecurity virtual machine monitor (“SVMM”) security agent 217. SVMMsecurity agent 217 may reside in a SVMM 216. SVMM 216 may reside andoperate upon electronic device 204. In-O/S security agent 218 and SVMMsecurity agent 217 may be communicatively coupled. Protection server202, in-O/S security agent 218, SVMM security agent 217 and SVMM 216 maybe configured to protect electronic device 204 from infections ofmalware.

SVMM security agent 217 may be an example embodiment of the triggeredevent handler 108 of FIG. 1. SVMM 216 may be an example embodiment ofthe below-O/S trapping agent 104 of FIG. 1.

Electronic device 204 may include a memory 208 coupled to a processor206. Electronic device 204 may include one or more applications 210 ordrivers 211 executing on electronic device for any suitable purpose.Electronic device 204 may include an operating system 212. Operatingsystem 212 may be configured to provide access to system resources 214of electronic device 204 to applications 210 or drivers 211. SVMM 216may be configured to intercept such calls of operating system 212 ofsystem resources 214. SVMM 216 and SVMM security agent 217 may operatebelow the level of operating system 212. For example, SVMM 216 and SVMMsecurity agent 217 may operate directly on processor 206 in a privilegedmode such as “Ring −1.”

Processor 206 may comprise, for example a microprocessor,microcontroller, digital signal processor (DSP), application specificintegrated circuit (ASIC), or any other digital or analog circuitryconfigured to interpret and/or execute program instructions and/orprocess data. In some embodiments, processor 206 may interpret and/orexecute program instructions and/or process data stored in memory 208.Memory 208 may be configured in part or whole as application memory,system memory, or both. Memory 208 may include any system, device, orapparatus configured to hold and/or house one or more memory modules;for example, memory 208 may include read-only memory, random accessmemory, solid state memory, or disk-based memory. Each memory module mayinclude any system, device or apparatus configured to retain programinstructions and/or data for a period of time (e.g., computer-readablenon-transitory media).

Protection server 202 may be operating on a network 244. Protectionserver 202 operating on network 244 may implement a cloud computingscheme. Protection server 202 may be configured to communicate withelements of electronic device 204 to update malware detection rules andinformation. Protection server 202 may be configured to receiveinformation regarding suspicious activities originating from electronicdevice 204 and determine whether or not such suspicious activities areindications of malware infection. Operating system 212 may include oneor more in-O/S security agents 218. In-O/S security agent 218 may beconfigured to receive monitoring and detection rules from protectionserver 202, such as in-O/S security rules 220. In-O/S security agent 218may be configured to use the in-O/S security rules 220 received byprotection server 202 to monitor and prevent suspicious activities onelectronic device 204. In-O/S security agent 218 may be configured toreport detected suspicious activities back to protection server 202.In-O/S security agent 218 may be configured to prevent malwareoperations and to report such preventions to protection server 202. Ifmore than one in-O/S security agent 218 is present in system 200, eachin-O/S security agent 218 may be configured to perform a designatedportion of the trapping, validating, or other tasks associated within-O/S security agent 218. Such portions may be defined bybelow-operating-system security agents. For example, one in-O/S securityagent 218 may validate or investigate MOV instructions, while anotherin-O/S security agent 218 may validate or investigate JMP instructions.In-O/S security agent 218 may be configured to determine the life cycleof a particular page in memory. For example, in-O/S security agent 218may know the processes and steps typically used by operating system 212to allocate a page of memory. Similarly, in-O/S security agent 218 mayknow the processes and steps typically used by operating system 212 toload an image of an application in its loader. Such processes may followa static pattern of operation. Thus, in-O/S security agent 218 may beconfigured to track the operation of operating system 212 to determinewhether for a given action standard procedures were followed. In-O/Ssecurity agent 218 may communicate with SVMM security agent 217 todetermine whether or not an operation trapped by SVMM security agent 217generated the corresponding expected actions observed by in-O/S securityagent 218. A discrepancy may indicate that malware has attempted toperform a system function outside of the normal operation of theoperating system 212. Thus, for example in-O/S security agent 218 andSVMM security agent 217 may determine whether a page in question wasloaded in memory directly by malware or was loaded by the operatingsystem loader. Such a behavior may cause in-O/S security agent 218 orSVMM security agent 217 to report information to protection server 202,employ more aggressive trapping and checking, or take any othercorrective measures.

In one embodiment, in-O/S security agent 219 may be configured toprovide contextual information by embedding itself within operatingsystem 212. For example, in-O/S security agent 219 may be configured toregister itself or a subcomponent as a driver filter, and attach itselfto a main driver to determine what the driver sees or does not see. Byattached as a filter to NDIS.SYS, for example, in-O/S security agent 219may be configured to report the file I/O operations seen by theoperating system 212 drivers.

In another embodiment, in-O/S security agent 219 may be configured toprovide such information observed from within operating system 219 toSVMM security agent 216 or other below-O/S security agents forcomparison with information observed below the operating system.Discrepancies between the two sets of information may indicate apresence of malware attempting to hide itself. For example, in-O/Ssecurity agent 219 may hook or filter NDIS.SYS, and monitor for filewrites to a particular file. SVMM security agent 216 may monitor inputand output commands. If SVMM security agent 216 determined more writesthan should have been seen based on the list of function calls seen byin-O/S security agent 219, then malware may be clandestinely writing todisk outside of the functions provided by operating system 212.

Network 244 may be implemented in any suitable network forcommunication, such as: the Internet, an intranet, wide-area-networks,local-area-networks, back-haul-networks, peer-to-peer-networks, or anycombination thereof. Protection server 202 may use the reports submittedfrom various security agents 218 running on various electronic devices204 to further detect malware by applying prevalence and reputationanalysis logic. For example, a suspicious behavior identified onelectronic device 204 may be synthesized into a rule for protectionserver 202 to proactively protect other electronic devices 204. Such arule may be determined, for example, based on the number of times that asuspicious driver has been reported. For example, an unknown driver witha narrow or slow distribution pattern may be associated with malware. Onthe other hand, an unknown driver with a wide and fast distribution maybe associated with a patch of a popular and widely availableapplication. In another example, such a detected driver may have beendetermined by security software running on another electronic device tohave accessed a website known to host malware. Such a driver may bedetermined to be associated with malware.

SVMM 216 may implement some or all of the security virtual machinemonitoring functions of system 200. SVMM 216 may be configured tointercept access to system resources—such as registers, memory, or I/Odevices—to one or more operating systems running on an electronicdevice. The security virtual machine monitoring functions of system 200may be implemented using SVMM 216, or any other virtual machine monitorconfigured to protect electronic device 204 according to the teachingsof this disclosure. SVMM 216 may be configured to control and filteractions taken by operating system 212 while operating system 212attempts to access system resources 214, on behalf of itself or onbehalf of applications 210 running through operating system 212. SVMM216 may run underneath operating system 212 on electronic device 204 andmay have control over some or all processor resources made available tooperating system 212 and application 210 or driver 211. Application 210may comprise any application suitable to run on electronic device 204.Driver 211 may comprise any driver suitable to run on electronic device204. The processor resources made available for control by SVMM 216 mayinclude those resources designated for virtualization. In oneembodiment, SVMM 216 may be configured to virtualize system resources214 for access by operating system 212, application 210, or driver 211.As examples only, such system resources 214 may include input-outputdevices 226, system memory 228, or processor resources 230. As examplesonly, processor resources 230 may include conventional registers 232,debug registers 234, memory segmentation 236, memory paging 238,interrupts 240 or flags 242. I/O devices 226 may include access to suchdevices such as keyboard, display, mice, or network cards.

SVMM 216 may be configured to trap the execution of operationsoriginating from operating system 212 to access system resources 214.SVMM 216 may include a control structure configured to trap specificattempted accesses of system resources 214. Any suitable controlstructure may be used. In one embodiment, such a control structure mayinclude virtual machine control structure (“VMCS”) 221. SVMM 216 may beconfigured to trap such execution by manipulating flags inside of VMCS221. SVMM 216 may be configured to trap any suitable operation ofoperating system 212, application 210, or driver 211 involving an accessof system resources 214. Such trapped operations may include, forexample: reading, writing and execution of particular pages of memory insystem memory 228; loading and storing a value to or from a processorregister 230; or reading and writing to or from I/O devices 226. Anysuch operations may cause a Virtual Machine Exit (“VM Exit”), which maybe trapped by SVMM 216. SVMM 216 may be configured to trap thegeneration of interrupts 240, which may be generated by the processor208 or initiated by elements of operating system 212. SVMM 216 may beconfigured to trap the attempted reading and writing to or from I/Odevice 226 by trapping IN and OUT instructions. SVMM may be configuredto trap such instructions by trapping access to mechanisms, for example,of Virtualization Technology Directed I/O (“VTd”). VTd may allow I/Odevice virtualization according to processor 208. By accessing VTdfacilities, SVMM security agent 217 may be configured to determinedevices connected by VTd, determine meta information from operatingsystem 212, ports on the I/O device, or other suitable information. SVMMsecurity agent 217 may be configured to control or trap the operation ofsuch virtualized device access. For example, SVMM security agent 217 maybe configured to determine I/O permission maps, containing I/Oassignments given to programmable I/O ports. SVMM security agent 217 maybe configured to trap access to such permission maps, which may be doneby malware, or use such permission maps to determine the relationship ofentities on operating system 212 and a request of an I/O device.

In one embodiment, SVMM security agent 217 may be operating in SVMM 216.In another embodiment, SVMM security agent 217 may be operating outsideof SVMM 216, but may be communicatively coupled to SVMM 216. In such anembodiment, SVMM security agent 217 may be operating below the level ofoperating systems of electronic device 204 such as operating system 212.SVMM security agent 217 may be operating at the same level and/or thesame priority of SVMM 216. SVMM security agent 217 may be configured tohandle events triggered by or trapped by SVMM 216. SVMM security agent217 may be configured to access contents of memory 228 or a disk at alevel below the operating system 212 so as to examine the contents freeof interference of kernel-level rootkits. Furthermore, some operationsof SVMM security agent 217 may be implemented by SVMM 216, and someoperations of SVMM 216 may be implemented by SVMM security agent 217.

SVMM security agent 217 may be configured to set the operation of SVMM216 in terms of what actions will cause a trap or trigger. In oneembodiment, SVMM 216 may be configured to communicate the detection oftrapped actions to SVMM security agent 217. SVMM security agent 217 maybe configured to consult security rules 222 to determine whether thetrapped actions indicate malware or malicious activities, and based uponsecurity rules 222 may provide indications to SVMM 216 about whatsubsequent action to take. Such subsequent action may include allowingthe attempted action, disallowing the attempted action, or taking othercorrective steps.

The operation of trapping the attempted access and execution of systemresources 214 by SVMM 216 and SVMM security agent 217 may be coordinatedthrough information gathered by in-O/S security agent 218. In-O/Ssecurity agent 218 may be configured to provide context to the trappingand handling operations of SVMM 216 and SVMM security agent 217. Forexample, a particular operating system data structure may normally onlybe written to by a specific application or service. In-O/S securityagent 218 may determine what applications or processes are currentlyvisibly running on operating system 212 and communicate the informationto SVMM security agent 217. If the specific application or service isnot listed as visibly running, then the attempted write to the datastructure may have come from an unauthorized application or process.

In-O/S security agent 218 may be configured to communicate with SVMM 216and/or SVMM security agent 217 via hypercalls. Hypercalls may beimplemented with a descriptor table defining available requests that maybe used, as well as associated input and output parameters. Such adescriptor table may define one or more requests possible for in-O/Ssecurity agent 218 to communicate with SVMM 216 and/or SVMM securityagent 217. Such a descriptor table may also define where input andoutput parameters for such a request may be located in memory.

In-O/S security agent 218, SVMM security agent 217, and protectionserver 202 may be configured to authenticate each other. Each ofsecurity agent 212, SVMM security agent 217 and protection server 202may be configured to not continue communications with each other unlesseach of the entities is authenticated. SVMM 216 may be configured tolocate the in-O/S security agent 218 image in memory 206, and usecryptographic signing algorithms to verify the in-O/S security agent 218image in memory 206. Authentication between protection server 202,in-O/S security agent 218 and SVMM security agent 217 may use anysuitable method, including cryptographic hashing and/or signingalgorithms. In one embodiment, such authentication may involve theexchange of a private secret key. In-O/S security agent 218 may beconfigured to receive a secret key from protection server 202 to verifythe instance of SVMM security agent 217.

In-O/S security agent 218 may have contextual information regarding theoperation of operating system 212. In-O/S security agent 218 may beconfigured to communicate with SVMM security agent 217 to provide suchcontextual information. SVMM security agent 217 may instruct SVMM 216on, for example, how to define certain pages of memory, or whichregisters to trap.

SVMM 216 may be configured to trap access attempts to system resources214 defined by SVMM security agent 217. For example, for traps of memoryaccess, SVMM 216 may be configured to trap operations such as read,write or execute. For trapping access to processor registers 230, SVMM216 may be instructed to trap operations including load, store, or readregister values. For trapping I/O operations, I/O devices 226, SVMM 216may be instructed to trap operations such as input or output tokeyboards, mice, or other peripherals. SVMM security agent 217 and/orother below-operating system security agents in the figures below may,in conjunction with in-operating system security agents, may beconfigured to determine for an I/O operation, the identity of a targetI/O device 226, target operation to be performed upon the I/O device226, and the data to be transferred.

SVMM security agent 217 may be configured to determine contextualinformation, such as what entity of operating system 212 has attemptedto access a resource of electronic device 204, or to what entity ofoperating system 212 a resource may belong. SVMM security agent 217 maybe configured to make such determinations through any suitable method.In one embodiment, SVMM security agent 217 may be configured to accesscontextual information for such determinations from in-operating systemsecurity agent 218. In another embodiment, SVMM security agent 217 maybe configured to, directly or indirectly, access a call stack ofoperating system 212 and/or an execution stack of processor 208 todetermine the order of calls made by different processes or applicationsof operating system 212. An Execution Instruction Pointer may point tothe instruction causing the trigger, while an Execution Stack Pointerand Execution Base Pointer may point to the stack frames. By walkingthrough the Execution Base Pointer through the stack, previous functioncalls may be identified providing context for the operation at hand.Such stacks may indicate the operation that was attempted as well as asource memory location. In yet another embodiment, SVMM security agent217 may be configured to use a memory map in conjunction with securityrules 222 to determine whether an attempt is malicious or indicative ofmalware. Such a memory map may, for example, indicate the entity thatmade an attempted access of resources, given a memory location of theattempted access. Such a memory map may be defined, for example, invirtual memory page identifiers and/or physical memory addresses. Such amemory map may, in another example, indicate the entity corresponding tothe memory location of the target of the attempt. Using the memory map,SVMM security agent 217 may be configured to determine the identities ofthe source and targets, or entity owners thereof, of an attemptedaccess. The memory map may be created in part by SVMM security agent 217or other below-O/S security agents in the figures below in conjunctionwith in-operating system security agents through monitoring theexecution of the system. SVMM security agent 217 and/or otherbelow-operating system security agents in the figures below may, inconjunction with in-operating system security agents, determine for agiven memory page or physical address whether such a location belongs toa particular code section or data section; to which module, process,application, image, or other entity it belongs; or whether it isassociated with user mode or kernel mode entries. SVMM security agent217 and/or other below-operating system security agents in the figuresbelow may, in conjunction with in-operating system security agents,determine metadata for the mapping of virtual memory and physical memoryindicating the identification, location, and permissions of variousentities running on the electronic device 204. Similarly, SVMM securityagent 217 and/or other below-operating system security agents in thefigures below may use a mapping of sectors in a mass storage device todetermine the location of images of such entities in the mass storagedevice. SVMM security agent 217 and/or other below-operating systemsecurity agents in the figures below may, in conjunction within-operating system security agents, determine for a given entity thesectors, files, directories, and volumes on which they reside.

SVMM security agent 217 may be configured to allocate memory such assystem memory 228 as required for operation of in-O/S security agent218, SVMM security agent 217, and SVMM 216. SVMM security agent 217 maybe configured to request that SVMM 216 secure such allocated memoryagainst unauthorized read and write operations. SVMM 216 may beconfigured to initialize the allocated memory after protection of thememory is established to eliminate the opportunity for malware to addmalicious code between the time when the memory is allocated by in-O/Ssecurity agent 218 and the protection is established by SVMM 216.

SVMM security agent 217 may be configured to communicate with protectionserver 202 to securely receive SVMM security rules 222. SVMM securityrules 222 may comprise instructions, logic, rules, shared libraries,functions, modules, or any other suitable mechanism for instructing SVMM216 about what security policies to employ. SVMM security agent 217 maybe configured to transfer information to protection server 202 regardingsuspicious activities and detected malware from electronic device 204.

In-O/S security agent 218 may be configured to communicate withprotection server 202 to receive in-O/S security rules 220. In-O/Ssecurity rules 220 may comprise instructions, logic, rules, sharedlibraries, functions, modules, or any other suitable mechanism forin-O/S security agent 218 to detect malware on electronic device 204.In-O/S security agent 218 may be configured to transmit information toprotection server 202 regarding suspicious activities and detectedmalware on electronic device 204.

In-O/S security rules 220 and SVMM security rules 222 may each compriseprotection rules for protecting electronic device 204 against malwareinfections, and for detecting suspicious activities that may comprisemalware. In-O/S security agent security rules may contain rules executedby and within in-O/S security agent 218. SVMM security rules 222 maycontain rules executed by and within SVMM 216 and/or SVMM security agent217.

SVMM security rules 222 may be configured to provide information to SVMMsecurity agent 217 with definitions of how to observe and detect malwareinfections of electronic device 204. For example, SVMM security rules222 may include categorizations of what types of function calls orbehaviors from entities such as application 210 or driver 211 that SVMMsecurity agent 217 may monitor for indications of malware. As anotherexample, SVMM security rules 222 may include definitions of how SVMMsecurity agent 217 may process such triggered function calls, includingwhat parameters to use, how to extract values from such calls, or how tovalidate the operation of such calls. Furthermore, SVMM security rules222 may include information for in-SVMM security agent 217 on how tomonitor the behavior of entities electronic device such as application210 or driver 211, as well as exceptions to such behavioral detectionrules. As yet another example, SVMM security rules 222 may includeinformation for SVMM security agent 217 on how to prevent and repairmalicious behaviors detected by such behavioral detection rules. SVMMsecurity rules 222 may include details of what data that SVMM securityagent 217 should monitor, collect, and send to protection server 202.

Similarly, in-O/S security rules 220 may be configured to provideinformation to in-O/S security agent 218 with definitions of how toobserve and detect malware infection of electronic device 204, as wellas how to coordinate such activities with SVMM security agent 217.

SVMM security rules 222 may also include rules regarding what actionsSVMM 216 will trap. SVMM security agent 217 may be configured to applysuch rules to SVMM 216. For example, SVMM security agent 217 may beconfigured to convert the address for a function to be trapped into anidentifiable virtual or physical page of memory, create a request forSVMM 216 to trap the execution of such a page, and subsequently call thesecurity agent 217 after trapping the execution. SVMM security agent 217may be configured to receive SVMM security rules 222 through itsinterface with the SVMM 216. Such an interface may comprise ahypercall-based interface. SVMM security agent 217 may be configured topush any resulting detections or reports to SVMM 216 through the samehypercall based interface.

In one embodiment, SVMM 216 may be configured to process triggeredactions without consulting SVMM security agent 217. In such anembodiment, SVMM 216 may be configured to install additional triggersthat are processed within SVMM 216 which might not be passed to SVMMsecurity agent 217. Such additional triggers may be defined by SVMMsecurity rules 222. In one embodiment SVMM security rules 222 may definememory pages scanning rules for SVMM 216. Such rules may include alisting of entities or modifications which are malicious and should notbe allowed to reside in memory. Such rules may also include a whitelist,configured to include a listing of pages that are specifically allowedto exist within system memory 228. In another embodiment, SVMM securityrules 222 may define to the SVMM 216 memory pages access rules. Suchrules may include definitions of what code pages are allowed, orconversely, prohibited to access a given code or data page.Consequently, SVMM security rules 222 may be configured to instruct SVMM216 to act as a memory scanner, and/or control access to memory pages.

SVMM 216 may be configured to protect SVMM security agent 217, SVMM 216,and in-O/S security agent 218 by preventing unauthorized read and writeaccess to their respective code and data pages in system resources 214.For example, if application 210 or driver 211 make a request to aportion of system memory 228, processor registers 230 or I/O devices 226which would result in affecting the integrity or operation of SVMMsecurity agent 217, SVMM 216, and in-O/S security agent 218, then SVMM216 may be configured to intercept such an attempted request, andsubsequently re-route the request, deny it, or take other appropriateaction. In another example, SVMM 216 may be configured to authorize readaccess for portions of system memory 228, processor registers 230 or I/Odevices 226 affecting SVMM security agent 217, SVMM 216, and in-O/Ssecurity agent 218 for memory security software applications, such asSVMM security agent 217 itself, or other corresponding or affiliatedprograms. Such an authorization may be defined within SVMM securityrules 222, which may define to SVMM 216 how to handle access to systemresources 214 such as system memory 228. In one embodiment, SVMMsecurity rules 222 may include a whitelist of trusted security programs,which may include SVMM security agent 217.

To communicate with protection server 202, SVMM 216 may include asecured network interface 224. Secured network interface 224 may beconfigured to provide secure access between a network server such asprotection server 202 and an element of electronic device 204 such asSVMM 216 or SVMM security agent 217. SVMM 216 may include a logicalTCP/IP driver or other communication interface, which may implementsecured network interface 224. The protection server 202 may beconfigured to communicate via secured network interface 224 to instructSVMM 216 or SVMM security agent 217 to update itself, as well as provideprotection rules such as SVMM security rules 222 or in-O/S securityrules 220. Protection server 202 may be configured to deliver customizedrules for a particular electronic device 204, or a particular SVMM 216.Such customization may include the type of malicious activities thathave been reported on electronic device 204, along with other protectionmechanisms within electronic device 204 such as an anti-virus program,firewall, or other protection mechanism. In one embodiment, protectionserver 202 may be operated by an administrator of electronic device 204on, for example, a local network. In such a case, the administrator mayset global or personalized policies for handling suspicious behaviorthat may be implemented by rules received from protection server 202.SVMM 216 may include an update engine that informs SVMM 216 or SVMMsecurity agent 217 how to update itself through a new image deliveredsecurely via protection server 202.

In-O/S security rules 220 and SVMM security rules 222 may each beconfigured to request that particular or classes of observed actions oroperations on electronic device 204 be passed to protection server 202.There, protection server may examine and verify the observations beforethe action is allowed to proceed on electronic device 204. Protectionserver 202 may be configured to accept such an action to be examinedsynchronously or asynchronously. In one embodiment, in-O/S securityagent 218 may be configured to pass questionable activities, segments ofcode or data, or actions to SVMM 216 for verification by protectionserver 202. For example, in-O/S security agent 218 may detect asuspected instance of malware by detecting an unsigned driver loadedwithin memory. SVMM 216 may receive the information about the suspicioussoftware from in-O/S security agent 218, and may provide it toprotection server 202.

SVMM security rules 222 may be configured to allow or deny access to anysuitable system resource of electronic device. Such resources availableto be monitored may depend upon the resources exposed by processor 206.For example, in one embodiment SVMM security rules 222 may be configuredto allow SVMM 216 to restrict access to system memory 228, I/O devices226, and interrupts 140. Such a restriction may prevent unauthorizedaccess to I/O devices such as keyboard displays or removable discs. Inanother embodiment, SVMM security rules 222 may be configured to allowSVMM 216 to restrict access to interrupt descriptor table entries,including entries in processor registers such as interrupt 240. In yetanother embodiment, SVMM security rules 222 may be configured to allowSVMM 216 to restrict access to Extended Page Tables (“EPT”), or anyother mechanism handling the mapping of virtual memory (real memory fromthe perspective of a guest operating system) to host physical memory.

If electronic device 204 contains one or more processors besidesprocessor 208 that support virtualization, SVMM 216 or another instanceof SVMM 216 may be configured to intercept attempts to access thevirtualized resources of such other processors. If electronic device 204contains, for example, a quad-processor containing processor 208, theresources of the quad-processor may be protected by SVMM 216. If the oneor more other processors do not support virtualization, SVMM 216 mightnot be able to secure access to their resources. If the one or moreother processors support a different virtualization technology fromprocessor 208, SVMM 216 may be configured to secure access to theirresources if SVMM 216, but in a different manner than as processor 208is secured, since the manner in which resources are virtualized maydiffer.

In operation, protection server may be running on network 244. In-O/Ssecurity agent 218 may be running on electronic device 204 to protectelectronic device 204 from malware infections, by scanning electronicdevice 204 for malware, observing the behavior of entities such asapplication 210 and driver 211 on electronic device 204 for suspiciousbehavior, and by repairing any such infections that were found. In-O/Ssecurity agent 218 may be running at the same priority or level asoperating system 212, and may be running in operating system 212. SVMM216 may be operating on electronic device 204 to protect electronicdevice 204 from malware infection by trapping the attempted access ofsystem resources of electronic device 204. SVMM security agent 217 maybe running on electronic device 204, or another suitable electronicdevice, to set the trapping operation of SVMM 216 and to handle some orall of the trapped attempted accesses of system resources. SVMM 216 andSVMM security agent 217 may be running below the operating system 212with a priority of “Ring −1.” SVMM security agent 217 may be running onSVMM 216.

Protection server 202 may send security rules, such as SVMM securityrules 222 and in-O/S security rules 220, to electronic device 204. Suchrules may be received by SVMM security agent 217, which may providein-O/S security rules 220 to SVMM 216. Such rules may be received byin-O/S security agent 218.

Protection server 202, security agent 218 and SVMM security agent 217may each authenticate each other. SVMM security agent 217 may locate theimage of security agent 218 in memory and use cryptographic signingalgorithms to verify the image of security agent 218 resident in memory.Protection server 202 and SVMM security agent 217 may authenticate eachother using cryptographic hashing and signing algorithms to correctlyidentify each other. SVMM security agent 217 and protection server 202may also exchange a private secret key to authenticate the identity ofeach other. Security agent 218 may receive a secret key from protectionserver 202 to verify the instance of SVMM security agent 217.Communication between security agent 218, SVMM security agent 217, and202 may not be fully established unless each of the agents isauthenticated with each other. Similarly, SVMM security agent 217 andSVMM 216 may verify and authenticate each other if they are running asseparate entities.

SVMM 216 and SVMM security agent 217 may be running underneath operatingsystem 212 and all operating systems of electronic device 204. SVMM 216may monitor access to system resources 214, including I/O devices 226,system memory 228, and processor registers 230 by operating system 212,security agent 218, application 210, and driver 211. SVMM 216 may trapthe execution of key operations requested by operating system 212,security agent 218, application 210, driver 211, or any other entity ofelectronic device 204. SVMM 216 may trap such execution by manipulatingflags inside of VMCS 221. When VMCS 221 intercepts a request for aprotected resource, operation may be handed off to SVMM 216 for furtheroperation, diagnosis and repair. In one embodiment, operation may besubsequently handled by SVMM security agent 217. In another embodiment,handling of the trapped operation may be conducted by SVMM 216 itself.SVMM 216 may trap any necessary operation of electronic device 204 toprovide protection against malware. Such operations may include, but arenot limited to: reading, writing and execution of particular code ordata pages in system memory 228; loading and storing of value from asystem register and processor registers 230; or reading to or from I/Odevices 226. The specific operations which will be trapped by SVMM 216may be defined by SVMM security rule 222.

Protection server 202 may communicate with SVMM security agent 217 orin-O/S security agent 218 to provide security rules to each. In oneembodiment, protection server 202 may deliver SVMM security rules 222 toSVMM security agent 217. In another embodiment, protection server 202may deliver in-O/S security rules 220 to in-O/S security agent 218. Inyet another embodiment, protection server 202 may deliver in-O/Ssecurity rules 220 to SVMM security agent 217, which may then providethe rules to in-O/S security agent 218.

Application 210, driver 211 or other entities operating an electronicdevice 204 may be observed by in-O/S security agent 218. In-O/S securityagent 218 may use in-O/S security rules 220 to observe the behavior ofsuch processing entities to determine whether their behavior constitutessuspicious behavior indicating a possible infection of malware. Uponsuch a detection of suspicious activities, in-O/S security agent 218 mayprovide the suspicious information to protection server 202 for furtheranalysis and instruction. In-O/S security rules 220 may indicate toin-O/S security agent 218 that such behaviors are suspicious, as well asindicate corrective action. For example, application 210 may communicatewith a network destination which is known to host malware. In-O/Ssecurity agent 218 may notice the activity of application 210, andsubsequently block the network access of application 210 to the networkdestination. In-O/S security agent 218 may also scan electronic device204 for malware. For example, in-O/S security agent 218 may examine thecontents of memory 206, or system memory 228 for patterns thatcorrespond to signatures of malware. Such an examination may revealthat, for example, application 210 contains a block of codecorresponding to a known segment of malware. In-O/S security agent 218may then clean electronic device 204 of the infection of malware byrepairing application 210, removing application 210, or taking any othersuitable action. In-O/S security agent 218 may communicate withprotection server 202 regarding any detected suspicious behaviors, orother indications of malware, and may receive instructions fromprotection server 202 on how to deal with such malware.

In one embodiment, SVMM security agent 217 may be configured to evaluatea trapped operation based on the origin of the entity that made theattempted operation. For example, if a driver was downloaded from anunknown domain, or has a certificate from an unknown guarantor, then theability of the driver to subsequently operate may be limited. Forexample, a driver whose status is unknown may be denied the ability toattach itself to another driver. If the driver was downloaded from adomain known to host malware or contains fraudulent credentials, thenthe driver may be not permitted to even load. Similarly, if a driver isknown to be from a particular domain or created by a particular author,then SVMM security agent 217 may be configured to recognize services inelectronic device 204 authorized to update the driver, and to limit theability to write or access the driver to those services. For example, akernel driver from Company X may only be written to from Company X'supdate service software resident on electronic device 204. SVMM securityagent 217 may be configured to validate the operation and integrity ofthe update service. In another embodiment, SVMM security agent 217 maybe configured to evaluate a trapped operation based on the target of theattempt. For example, an attempt to update software from a service maybe trapped for kernel drivers, but not for application software.

Once an entity has been determined to be suspicious, or an attemptdetermined to indicate malware, the process causing the attempt and thememory housing the process may be linked. Other processes accessing thesame portion of memory may similarly be determined to be malware. Atrapped attempt to access a resource may be stored, and a subsequentattempt to access a protected resource may be evaluated in light of theoriginal event. For example, a malicious operation may require that codebe written to a data segment then executed. Thus, SVMM security agent217 may trap the original write access to the data segment, allow thewrite, but record the source of the write access. Subsequently, SVMMsecurity agent 217 may trap a subsequent attempt to execute the datasegment, and evaluate the malicious status of the attempt in light ofthe previously trapped operation, the entity which attempted it, orother suitable forensic information.

SVMM security agent 217 may instruct SVMM 216 concerning which of systemresources 214 that SVMM 216 is to trap through a control structure suchas VMCS 221. SVMM 216 may then trap access requests to system resources214 originating from entities of electronic device 204 such as operatingsystem 212, application 210 or driver 211. For example, if a request ismade to read, write or execute portions of system memory 228, SVMM 216may intercept such a request through a flag set for the designatedportion of system memory in VMCS 221. In another example, accessrequests made of I/O devices 226 may be intercepted by VMCS 221, such asinput or output operations. In yet another example, requests of processregisters 230, such as load or store commands, may be trapped by VMCS221. Any such traps may result in the notification of SVMM 216 of theattempted access. Once SVMM 216 has trapped an attempted operation uponsystem resources 214, SVMM 216 may communicate such a trapped executionto SVMM security agent 217.

In-O/S security agent 218 and SVMM security agent 217 may communicate todetermine the context of operations conducted within operating system212. For example, a trapped system call from operating system 212 to aparticular resource of electronic device 204 may have originated from aparticular part of memory. SVMM security agent 217 may communicate within-O/S security agent 218 to determine what application, process, orother entity resides within the particular part of memory.

Based on SVMM security rules 222, and the trapped operation and/orcontextual information from in-O/S security agent 218, SVMM securityagent 217 may then determine whether such an access constituted asuspicious action such as those indicative of an infection of malware.For example, an attempted change of system memory 228 of a protectedmemory space by an unauthorized application may be a suspiciousactivity, and thus such an attempted change detected by SVMM 216 may beinterpreted by SVMM security agent 217 to be an operation of malware.Such an activity may be reported to protection server 202 for furtherinstruction, or action may be directed by in-O/S security rules 220. Theresult of such a detection may be to block the attempted change insystem memory 228, or triggering additional cleaning operations upon theentity of electronic device 204 which generated the attempted change.

SVMM 216 may monitor additional calls to system resources 214 to protectthe integrity of the SVMM 216, SVMM security agent 217 and/or in-O/Ssecurity agent 218. SVMM 216 may conduct scanning operations, defined bySVMM security rules 222, to scan portions of system memory 228 todetermine whether portions of such memory have been modified by malware.SVMM 216 may make use of signatures, hashes, or other rules indicatingthat a given pattern of memory is known as unsafe or safe.

For example, SVMM 216 may protect in-O/S security agent 218 bypreventing unauthorized read and write access to code and data pagescorresponding to in-O/S security agent 218 in system memory 228. Somemalware may attempt to attack in-O/S security agent 218 by making memorymodifications or other modifications to system resources 214 associatedwith system memory 228. SVMM 216 may read a whitelist contained in SVMMsecurity rules 222 of authorized applications and other entities ofelectronic device 204 that may be permitted to alter the code or data orother system resources 214 corresponding to in-O/S security agent 218.If a modification originates from an entity not contained within thewhitelist, then SVMM 216 may determine that such a modification isassociated with malware. Unauthorized access to system resources 214corresponding to in-O/S security agent 218 may be handled by SVMM in anysuitable manner, including blocking access, creating a honeybot process,reporting violations to protection server 202, or any other suitableremedy.

SVMM 216 may also trap access to system resources 214 belong to otherentities of electronic device 204. For example, a target memory page insystem memory 228 may contain sample code or data belonging to a part ofthe kernel operation of operating system 212. SVMM 216 and SVMM securityrules 222 may limit access to such a target page to only code sectionsthat are authorized. Consequently, if a code page in system memory 228attempts to read or alter the target memory page, and the code pagebelongs to a non-authorized entity of electronic device 204, such anaccess may be blocked by SVMM 216. Thus, SVMM 216 may act to controlaccess to memory pages in system memory 228.

SVMM security agent 217 may be able to update SVMM security rules 222 orin-O/S security rules 220 by contacting protection server 202 forupdated rules. Protection server 202 may configure the rules to bedelivered to SVMM security agent 217 based upon the particular malwareobserved, administrator settings, or other characteristics of electronicdevice 204. SVMM security agent 217 may update the rules of electronicdevice 204 upon demand by a user, periodically, or upon the occurrenceof a significant event, such as the encounter of new suspiciousactivities that may be linked to malware.

SVMM security agent 217 may set flags in VMCS corresponding to compoundconditions. Such flags may span across different types of resources tobe trapped. For example, VMCS may be configured to trap the combinationof a write of a certain value to page in memory, and a subsequent moveof the page to a buffer of an I/O device.

System 200 may contain one or more advantages over other implementationsof anti-malware systems and software. For example, some anti-malwaresolutions may hook various portions of an operating system to trap andevaluate low-level operations of the applications. However, thesesolutions themselves may operate inside of the operating system, or inanother operating system in the case of two guest operating systems. Byoperating within the confines of the operating system, even at akernel-level priority, the anti-malware solution may be susceptible tomalware attacks from malware also running on the same operating system,perhaps running at the same priority. If trapping or triggering uponcertain events is conducted at the level of an operating system, suchtrapping or triggering may be phished, hooked, reverse engineered,compromised, or otherwise defeated by malware running at the same orlower priority for the operating system. For example, an anti-malwaresolution running on an operating system that detects and removes amalicious hook in the operating system may be observed by malwarerunning at the same priority. In another example, an anti-malwaresolution registering as a filter driver to detect the operation of acertain routine may be defeated by malware that registers a maliciousfilter driver lower on the driver stack than the anti-malware solution.Similarly, if handling of certain trapped or triggered events occurs atthe level of an operating system, malware may be able to affect the suchhandling. For example, the malware may undo the corrections of theanti-malware solution, or even disable the operation of the anti-malwaresolution.

In another example, hypervisors may work to virtualize access to systemresources such as system memory 228, but may not conditionally guardaccess to the system resources and thus act as a security hypervisor.Such hypervisors may not have access to anti-malware rules, such asbehavioral rules in security rules 222, to identify maliciousactivities, entities, or malicious attempted access of system resources.Such hypervisors may be running within an operating system themselves,which may be prone to malware running at the same priority level as theoperating system. Such hypervisors may not be running in a “Ring0privileged mode,” because such a mode may require the hypervisor tointercept too many attempted accesses of system resources. Thehypervisor may be tasked with virtualizing all aspects of a guestoperating system, and the demands of such virtualization may be tooexpensive to simultaneously access security rules to check for maliciousbehavior.

FIG. 3 is an example embodiment of a method 300 for virtual machinemonitor-based protection for an electronic device from malware. In step305, the identity and security of a below-O/S security agent, in-O/Ssecurity agent, protection server, and virtual machine monitor may beauthenticated. Such authentication may be done through any suitablemethod, including by locating and verifying the images of each locatedin memory, cryptographic hashing, or secret keys. Until step 305 iscompleted, operation of other steps may be withheld.

In step 310, a protection server may be accessed to determine securityrules. Such security rules may be used to make decisions in steps315-380. In step 315, the virtual machine monitor may be instructed totrap access to system resources. Such access may arise fromapplications, drivers, or operating systems running on the electronicdevice. The virtual machine monitor may be instructed as to what systemresources of the electronic device are to be monitored. The virtualmachine monitor may also be instructed as to what operations on themonitored system resources are to be trapped. For example, read, writeor execute operations on system memory may be trapped. In anotherexample, load or store operations on registers may be trapped. In yetanother example, input or output actions on I/O devices may be trapped.

In step 320, flags corresponding to such operations to be trapped may beset inside a control structure such as a virtual machine controlstructure. Such trapped operations may generate a VM exit, wherein atriggered event is created upon the access of the flagged resource. Instep 325, as system memory is allocated for the virtual machine monitor,the in-O/S security agent, and the below-O/S security agent, such memorymay be secured against unauthorized read and write operations.

The electronic device may operate and be protected by one or more of thetrapping of access of system resources in steps 330-340, scanning memoryfor the presence of malware in steps 345-355, and scanning memory forattempted memory modifications in steps 360-365. Each of trapping theaccess of system resources, scanning memory for the presence of malware,and scanning memory for attempted memory modifications may be conductedin parallel. Further, each of these may be repeated as necessary toprotect the operation of the electronic device.

In step 330, the access of a system resource such as system memory,registers, or I/O devices may be trapped. The access may be trappedusing a VMCS flag generating a VM exit. Such trapping may be conductedbelow the level of operating systems running on the electronic device.In step 335, the access may be analyzed to determine whether therequesting entity has permission to access the requested resource.Contextual information associated with the attempted access may beaccessed to make such a determination. Security rules may be accessed tomake such a determination. An unauthorized access may be determined tobe suspicious. Such handling and determinations may be made below thelevel of operating systems running on the electronic device. If theaccess is suspicious, then in step 340, a suspicious attempted access ofthe system resources may be blocked. Such an attempt may be reported tothe protection server. If the access is not suspicious, then the accessmay be allowed in step 370.

In step 345, memory pages of the electronic device may be scanned forthe presence of malware. While scanning the memory of electronic device,a whitelist may be used to determine whether patterns of memory,reflecting entities resident on electronic device, are known to be safe.If a pattern of memory known to be safe is encountered, then in step370, the memory may be allowed to continue to have access to electronicdevice and may remain. While scanning the memory of electronic device, ablacklist may be used to determine whether patterns of memory are knownto comprise or be associated with malware. The whitelist and blacklistmay be accessed by accessing the security rules. In step 350, if apattern of memory known to be associated with malware is found, then instep 375 the pattern of memory may be denied access to electronic deviceby being repaired, removed, or neutralized.

In step 355, memory may be scanned to determine whether modifications tomemory have been or are being attempted. Such scanning may be conductedbelow the level of operating systems in the electronic device. Suchmemory may include kernel memory, system data structures, or any otherportion of memory of the electronic device that may be modified bymalware. For example, a list of active threads running on the electronicdevice may be modified to hide the presence of a malicious process. If amodification is detected, then in step 365 it may be determined whethersuch modifications are permissible. Whether such modifications arepermissible may be defined by the security rules. For example, the codeor data page of an anti-malware process may be protected againstmodification or access by any other process. If the memory modificationis deemed as authorized, then in step 370, the modification may beallowed. If the memory modification is determined to be unauthorized andnot allowed, then in step 375, the modification may be denied.

In step 370, if an access or modification is allowed, then the access ormodification may be stored for later reference. Some detections ofmalware may utilize information regarding past accesses or modificationsto determine whether such past access and a presently detected accesstogether comprise a malicious access of a resource.

In step 375, if a modification, access, or other operation is denied,then such an event may be reported to the protection server in step 380.Such a report may include information regarding any associated malwareor suspicious behavior.

The steps of method 300 may be repeated as necessary to protect theelectronic device continuously, periodically, or upon demand.

FIG. 4 is an example embodiment of a firmware-based andsecurity-rule-based system 400 for protecting of an electronic device404 from malware. System 400 may be an example embodiment of system 100,wherein certain elements of system 100 are implemented in firmware. Thetrapping operations of system 400 may be conducted below the level ofoperating systems of electronic device 404. System 400 may include oneor more below-O/S security agents configured to trap requests, such asI/O commands, for use or access to resources of the electronic device404. Such below-O/S security agents may be configured to manage theexchange of input and output data between devices or with the mainprocessor of electronic device 404. Such below-O/S security agents maybe embodied in firmware of components, such as device controllers, ofelectronic device 404 or in the firmware of electronic device 404itself. Such firmware may reside in non-volatile memory. Such resourcesof electronic device 404 may include the system resources 106 of FIG. 1or its various possible embodiments, or resources coupled to or embodiedby devices in system 400. System 400 may include one or more below-O/Ssecurity agents configured to trap attempted use of access to theresources of the electronic device 404, generate a triggered eventcorresponding to the attempt, consult security rules regarding thetriggered event, and take corrective action if necessary regarding theattempt.

In one embodiment, the below-O/S security agents of system 400 may beembodied only in firmware of components of electronic device 404, asdescribed below and in the discussions of FIG. 5. In another embodiment,the below-O/S security agents of system 400 may be embodied in firmwareof electronic device 404 itself such as main PC firmware 428. In such anembodiment, main PC firmware 428 may be implemented on a motherboard ofelectronic device 404. In yet another embodiment, the below-O/S securityagents of system 400 may also be embodied in below-O/S agent 450.Below-O/S agent 450 may be implemented in any suitable manner forproviding triggering of access of resources, or handling of suchtriggers, below the level of operating systems of electronic device 404such as operating system 412. For example, below-O/S agent 450 may be anembodiment of SVMM 216 or SVMM security agent 217 of FIG. 2. Below-O/Sagent 450 may include security rules 422.

Electronic device 404 may include one or more components for conductinginput and output operations from electronic device 404. Electronicdevice 404 may include any suitable number of such components and typesof components. Such components may be implemented by devices with theirown processor, memory, and software embedded in firmware. An exampleembodiment of such a component may be the I/O device 502 of FIG. 5.

Electronic device 404 may include, for example, display 424 and storage426. Each such component 424, 426 may include firmware 430, 432.Firmware 430, 432 may each embody the firmware 504 of FIG. 5. Asdescribed above, each such component 424, 426 may include afirmware-based security agent, such as firmware security agent 440, 442.Firmware security agents 440, 442 may each partially or fully embody thefirmware security agent 516 of FIG. 5. In one embodiment, each offirmware security agents 440, 442 may be implemented in their respectivefirmware 430, 432. In another embodiment, each of firmware securityagents 440, 442 may be implemented outside of firmware 430, 432 in eachof their respective components 424, 426. Each of such device firmwaresecurity agents 440, 442 may be communicatively coupled to a respectiveset of security rules 434, 436. Each such security rules 434, 436 mayembody the security rules 518 of FIG. 5.

Electronic device 404 may include firmware. In one embodiment,electronic device 404 may include main PC firmware 428. Main PC firmware428 may be embodied by a Basic Input/Output System (“BIOS”). In oneembodiment, main PC firmware 428 may be configured as the BIOS of acomputer. In such cases, main PC firmware 428 may be configured toinitialize the operation of the processor 406 of the computer. Main PCfirmware 428 may be configured to allow the main processor 406 tocommunicate with I/O devices such as display 424 and storage 426. Insuch embodiments, the computer may also contain a programmable I/Ocontroller, which may be programmed by the firmware or BIOS, andcommunicates with the firmware of the I/O devices such as 424 andstorage 426.

Main PC firmware 428 may include a below-O/S security agent. In oneembodiment, main PC firmware 428 may include a PC firmware securityagent 444. PC firmware security agent 444 may be configured to interceptrequests of system resources 414. To accomplish such functionality, PCfirmware security agent 444 may embody fully or in part thefunctionality of the SVMM security agent 217 or SVMM 216 of FIG. 2,and/or firmware security agent 516 of FIG. 5. PC firmware security agent444 may embody the functionality of SVMM security agent 217 or SVMM 216of FIG. 2 to accomplish below-O/S triggering and handling of access tosystem resources 414, verification and validation of below-O/S agentsand in-O/S security agents such as in-O/S security agent 418, anddistribution of security rules such as security rules 420, 422. PCfirmware security agent 444 may embody the functionality of firmwaresecurity agent 516 of FIG. 5 to accomplish below-O/S triggering andhandling in firmware, updating of security rules, and to evaluate IN andOUT commands sent to portions of electronic device 404.

Electronic device 404 may include security rules 438. Security rules 438may be an example embodiment of the security rules 114 of FIG. 1. In oneembodiment, security rules 438 may reside in main PC firmware 428. Inanother embodiment, security rules 438 may reside outside main PCfirmware 428, and PC firmware security agent 444 may be coupled tosecurity rules 438.

The security agents of system 400 may be configured to work together toprevent malware and its malicious operations. Attempted access ofresources may be trapped, and subsequent events triggered for handlingin firmware security agents in devices such as display 424 or storage426, or in main PC firmware 428. The firmware security agents in suchdevices or firmware may be configured to handle the triggered events orto pass the triggered event to another security agent for handling. Dueto limited execution and update capabilities, some firmware securityagents may be limited in handling their own triggered events, and thusit may be advantageous to pass such triggered events to other securityagents. The security agents to which firmware security agents may passevents may include, for example, in-O/S security agents such as in-O/Ssecurity agent 418, a below-O/S security agent such as below-O/Ssecurity agent 450, or another firmware security agent such as PCfirmware security agent 444. These other security agents may beconfigured to receive the triggered event, consult security rules,contextual information, or permissions, and send back a resulting actionto be implemented.

Accordingly, while FIG. 4 illustrates an example number of elements forconducting below-O/S triggering and handling by firmware-based securityagents, more or less elements may be used in various embodiments. Asmore or less elements are used, the functionality of each element and ofsystem 400 may change accordingly. In one embodiment, the securityagents of system 400 below the level of the operating system 412 may belimited to one or more in-O/S security agents 418 and firmware securityagents 440, 442. In such an example, the firmware security agents 440,442 may rely upon protection server 402 for updates to security rules434, 436. Firmware security agents 440, 442 may rely upon in-O/Ssecurity agent 418 for updates or handling of triggered events, but theoperation of the in-O/S security agent 418 may be less secure unless abelow-O/S security agent validates in-O/S security agent. Firmwaresecurity agents 440, 442 may provide triggering based upon firmwaresecurity rules 434 established at installation, manufacture, orconfiguration. Such security rules may be relatively static. In such acase, firmware security agents 440, 442 may be configured to providerelatively basic event triggering, with little analysis. Such firmwaresecurity agents 440, 442 may nonetheless be useful, as such triggeringis accomplished below the operating systems of electronic device 404,thus better detecting some malicious or suspicious operations.

In another embodiment, the security agents of system 400 may includeeither PC firmware security agent 444 or below-O/S agent 450, but notboth. In such a case, the functionality of PC firmware security agent444 may be implemented by below-O/S agent 450, and vice-versa. Either PCfirmware agent 444 or below-O/S agent 450 may be coupled to protectionserver 402 and configured to obtain information such as security rules420, 422, 438, 434, 436, and to share such information with othersecurity agents in system 400. Such security rules may be tailored toeach respective security agent for the purposes of communication,update, or storage expense. Either PC firmware agent 444 or below-O/Sagent 450 may be configured to receive triggered events from othersecurity agents such as firmware security agents 440, 442, applysecurity rules and other information, and take corrective action such assending a resulting event to the firmware security agents 440, 442 orinformation to protection server 402. Either PC firmware agent 444 orbelow-O/S agent 450 may be configured to trap attempted accesses ofsystem resources 414. Either PC firmware agent 444 or below-O/S agent450 may be configured to communicate with in-O/S security agent 418 todetermine the context of triggered events. If more than one in-O/Ssecurity agent 418 is present in system 400, each in-O/S security agent418 may be configured to perform a designated portion of the trapping,validating, or other tasks associated with in-O/S security agent 418.Such portions may be defined by below-operating-system security agents.For example, one in-O/S security agent 418 may validate or investigateMOV instructions, while another in-O/S security agent 418 may validateor investigate JMP instructions.

In yet another embodiment, security agents of system 400 may includeboth PC firmware security agent 444 and below-O/S agent 450.Nevertheless in such an embodiment, some or all of the functionality ofPC firmware security agent 444 may be implemented by below-O/S agent450, and vice-versa. The delineation of tasks between PC firmwaresecurity agent 444 and below-O/S agent 450 may take into account severalfactors. For example, the operation of a security agent within firmwaresuch as PC firmware security agent 444 may be more secure than theoperation of another below-O/S agent 450. However, updating the securityrules and the software of below-O/S agent 450 may be simpler and fasterthan in a PC firmware security agent 444.

In still yet another embodiment, one or more firmware security agents440, 442 may reside on system 400 independent of a PC firmware securityagent 444 or a below-operating system agent 422. In such an example, thefirmware security agents 440, 442 may validate the instance ofin-operating system security agent 418.

Each of firmware security agents 440, 442, 444 may be configured toreside within firmware logic sufficient to be able to monitor andcontrol firmware logic for external communication. Firmware securityagents 440, 442, 444 may thus be configured to trap and/or thecommunication of specific information or with specific other entities.Firmware security agents 440, 442, 444 may be configured to determinethe operation request received, as well as the data to be sent orreceived. Furthermore, firmware security agents 440, 442, 444 may beconfigured to control the data to be sent or received, and may beconfigured to cause additional operations on the data, such asencryption, compression, embedding of watermarks, or decoding ofwatermarks in the data. Other security agents of system 400 incommunication with firmware security agents 440, 442, 444 may beconfigured to embed watermarks in data to be trapped by firmwaresecurity agents 440, 442, 444, or to decode watermarks put into data byfirmware security agents 440, 442, 444.

Communication with a firmware security agent 440, 442 or PC firmwaresecurity agent 444 may be conducted, for example, through programmableinput-output interrupts or programmable input-output registers. Suchinterrupts or registers may be defined and provided by the maker of thefirmware or device in which the firmware security agent 440, 442, 444resides.

One or more of the below-O/S security agents of system 400 may beconfigured to serve as a main security agent to coordinate theanti-malware activities of the firmware-based security agents ofelectronic device 404. In one embodiment, PC firmware security agent 444may be configured as the main security agent of system 400. In anotherembodiment, below-O/S agent 450 may be configured to serve as the mainsecurity agent. The security agent may be configured to handle triggeredevents from firmware security agents 440, 442. The main security agentmay be configured to validate the operation of firmware security agents440, 442, as well as other security agents such as in-O/S security agent418. The main security agent may be configured to notify other securityagents about whether one of the security agents has noticed suspiciousbehavior or detected malware, whether the system 400 is under a malwareattack, or whether an administrator of system 400 has changedpreferences or settings affecting security. The main security agent mayshare information about the attack with the other security agents ofsystem 400.

By trapping access to resources of system 400 and/or handling theresulting triggered events below the level of the operating systems ofsystem 400, system 400 may provide increased security against malware.Operation of a security agent in firmware may reduce the opportunity formalware to affect the operation of the security agent. Trappingoperations in firmware or at the device level may reduce the ability ofmalware to spoof or phish elements of system 400 in order to disguiseits operation. For example, no matter what portions of operating system412 are compromised by malware, a request to a component 424, 426 mightnot be disguised from the device itself.

FIG. 5 is a more detailed view of an example embodiment of afirmware-based solution for protecting an electronic device frommalware. A device such as I/O device 502 may be configured to receiveand trap requests for use or access to resources of the device. In oneembodiment, I/O device 502 may be configured to process such trappedrequests to determine whether the requests indicate a presence ofmalware. In another embodiment, I/O device 502 may be configured to passsuch a trapped request as a triggered event to another portion of asystem in which I/O device resides. Such another portion of the systemmay include a below-O/S security agent. I/O device 502 may includefirmware 504 and a processor 506 coupled to a memory 508, wherein thefirmware 504 may include instructions that reside in memory 508 forexecution by processor 506.

I/O device 502 may include any suitable portion of an electronic devicefor controlling access to a resource for the electronic device. In oneembodiment, I/O device 502 may embody some or all of a peripheral for anelectronic device. I/O device 502 may be embodied by, for example, adisplay controller card, computer bus controller, cache device, I/Ocontroller device, disk controller, memory device, network controller,motherboard, or keyboard controller. I/O device 502 may reside in anelectronic device. In one embodiment, I/O device 502 may be coupled tophysical components. Such physical components may include, as justexamples, a display, a computer bus, memory, I/O controllers, a disk, anetwork card, or a keyboard. In another embodiment, I/O device 502 mayreside separately from the coupled physical components. For example, akeyboard controller may be coupled through a serial interface with akeyboard. In such embodiments, I/O device 502 may reside in anelectronic device while such physical components may be communicativelycoupled to the electronic device but reside outside the electronicdevice.

Firmware 504 may be configured to control the operation of I/O device502. Firmware 504 may include a below-O/S security agent 516 configuredto trap requests for resources, operate below the level of operatingsystems in I/O device 502 or in systems in which I/O device 502 resides.Below-O/S security agent 516 may be configured to handle eventsresulting from the trapped requests to determine whether to allow, deny,or otherwise handle the request, in order to protect I/O device 502 orsystems in which I/O device 502 resides from malware. In one embodiment,firmware 504 may include a firmware security agent 516. Firmwaresecurity agent 516 may incorporate some or all of the functionality ofSVMM 216 or SVMM security agent 217 of FIG. 2, but is embodied infirmware 504. In such a case, the functionality of SVMM 216 or SVMMsecurity agent 217, such as trapping access to resources and/or handlingthe trapped request, may be conducted by firmware security agent 516. Inone embodiment, firmware security agent 516 may be configured to residein firmware 504.

Firmware 504 may include I/O commands 510, a data transmission engine512, and programming logic 514. I/O commands 510 may includeinstructions for sending or receiving information to the device. Suchcommands may include variations of IN or OUT commands. The execution ofI/O commands 510 may be operable to perform the desired actions of thedevice. Requests received by the device may be translated into I/Ocommands. Trapping or triggering upon particular requests for resourcesmay be accomplished by trapping or triggering upon the associated I/Ocommands 510. Data transmission engine 512 may be configured to handlethe communication of requests to the device, and subsequent responses.Data transmission engine 512 may be coupled to the processor 506 and toa programmable I/O controller over an I/O bus, over which I/O commands510 and data are exchanged. Programmable logic 514 may be configured toprovide instructions for firmware 504 to operate I/O commands 510 anddata transmission engine 512. The programming logic 514 may be loadedinto a processor such as processor 506.

Firmware security agent 516 may be configured to modify the operation ofprogramming logic 514 to detect attempted malicious operations. Firmwaresecurity agent 516 may also be configured to monitor the communicationof requests to the device to intercept requests of I/O device 502through data transmission engine 512 and to determine whether suchrequests are malicious. Firmware security agent 516 may include acontrol structure in which flags may be set corresponding to operationsthat are to be trapped. In one embodiment, flags may be set in thestructure according to memory address of commands which are to betrapped. Firmware security agent 516 may be configured to set flags forthe interception of requests to I/O device 502. Such flags maycorrespond to, for example, specific commands of I/O commands 510 orsuch specific commands in combination with specific parameters. Suchflags may be configured to intercept particular requests or categoriesof requests. Upon the triggering of a particular flag corresponding to atrapped attempted operation of an I/O command 510, firmware securityagent 516 may be configured to process the event and take a resultingaction, pass resulting information to another security agent through thedata transmission engine 512, or pass the triggered event through datatransmission engine 512.

I/O device 502 may also include security rules 518. Security rules 518may implement some or all of security rules 222 of FIG. 2. Securityrules 518 may be implemented in memory 508. In one embodiment, securityrules 518 may reside outside of firmware 504. In another embodiment,security rules 518 may reside inside of firmware 504. Firmware securityagent 516 may be communicatively coupled to security rules 518 andconfigured to access security rules 518 to determine what flags to setin firmware 504 to trap particular requests or categories of requestsmade to I/O device 502 for access to its resources. For example,firmware security agent 516 may be configured to access security rules518 to determine whether a triggered event is malicious or not. In oneembodiment, security rules 518 may contain instructions for firmwaresecurity agent 516 to process the triggered event. Firmware securityagent 516 may be configured to use such instructions to determinewhether to allow or deny the request, or to take another correctiveaction. In another embodiment, firmware security agent 516 may beconfigured to use such instructions to determine whether to report therequest to another security agent. Such corrective actions may alsoinclude waiting for a response from the other security agent, which maycontain instructions on whether to allow or deny the request.

In some embodiments, firmware security agent 516 may reside in firmware504, which may make it relatively difficult to update firmware securityagent 516. In addition, the ever-changing nature of malware attacks mayrequire anti-malware solutions to be flexible. Consequently, firmwaresecurity agent 516 may use any suitable mechanism for receivinginformation for determining what requests to I/O device to trap, andwhat subsequent actions to take.

In one such embodiment, such a mechanism may include accessing securityrules 518 as described above. Firmware security agent 516 may beconfigured to receive new and updated security rules 518 from othersecurity agents or protection servers. To achieve flexibility, firmwaresecurity agent 516 may be configured to store security rules 518 inmemory 508 separate from firmware 504, if—for example—storage of suchrules in firmware 504 would make updating security rules 518 difficult.

In another such embodiment, firmware security agent 516 may beconfigured to update security rules 518 upon an update or flash offirmware. In such an embodiment, the flexibility of updating therequests to be trapped may be limited. Consequently, security rules 518may be directed to very specific, protected resources. For example,security rules 518 of a disk device may include instructions to trap allwrite requests to the boot sector of the device. In some cases, wherecommunication with other security agents is inexpensive, security rules518 may include instructions to trap a wide variety of requests, whereinprocessing may be largely offloaded to other security agents.

In yet another such embodiment, firmware security agent 516 may beconfigured to receive instructions from other security agents. In onecase such instructions may take the form of parameters to function callsof the firmware 504 or firmware security agent 516. For example, anothersecurity agent may call a function of firmware security agent 516 named“UpdateRule(trigger, action)” wherein a request to trap for is detailedin trigger and a subsequent action to take is detailed in action.Firmware security agent 516 may thus update security rules 518 byreceiving instructions concerning updates to security rules. In anothercase, another security agent may write updates for security rules 518 toa reserved memory space of device 502 which may be subsequently accessedby firmware security agent 516. The instructions to be received fromother security agents may also direct firmware security agent 516 to usespecific sets of security rules 518. For example, during a time-criticaloperation firmware security agent 516 may be configured by suchinstructions to use a minimal, core set of security rules 518. If I/Odevice 502 is a disk device, such a minimal, core set of rules mayinclude instructions to trap access to the boot sector of the disk. Inanother example, if time-critical operations are not being presentlyconducted, firmware security agent 516 may be configured by suchinstructions to employ rules from security rules 518 to trap a muchbroader range of access attempts and to send corresponding events toother security agents for handling.

Firmware security agent 516 may be configured to control I/O commands510, scan content or data received or to be sent, and apply accesscontrol over the commands and content. Firmware security agent 516 maybe implemented as an extension of existing device firmware.

The implementation of firmware security agents 516 may depend upon thetype of device 502. For example, display devices and disk devices maytrigger on different kinds of content or attempted commands. Thecreation of firmware security agents 516 in various devices may betailored to the specific kind of interface with the device. For example,if device 502 is configured to communicate through a Serial AdvancedTechnology Attachment (“SATA”) bus, it may be equipped with firmwaresecurity agents 516 similar to other devices communicating through SATAbusses. Firmware security agent 516 may be customized to support thearchitecture of device 502, support an external bus I/O of device 502,or other interfaces of device 502.

Firmware security agent 516 may be configured to trap attempted accessof resources in device 502 by intercepting particular read and writecommands, which may make up part of a request of a resource. A read orwrite command may be intercepted, evaluated, and blocked or allowedbased on a rule such as one in security rules 518. Security rules 518for a firmware security agent 516 may include any suitable rules fordetecting evidence of malware. Such a read and write command may be theresult of, for example, a function call to a driver or an interrupt.

For example, security rules 518 may include rules for firmware securityagent 516 to scan data to be written to the device. The content of thedata, or a hash of the data, may be evaluated to determine whether thedata corresponds to malware data or code. Such evaluations may be madeby comparing the content against data or signatures in a whitelist orblacklist. Successive writes may have to be evaluated together toproperly evaluate the full scope of the data or content to be written,in order to correctly identify the contents or data as malware or not.For example, a file may be written to in repeated successive calls todevice 502. The data to be written may be queued such that a proper scanof the contents of the write command may be evaluated.

In another example, security rules 518 may include rules for firmwaresecurity agent 516 to scan existing data in the device. The device 502may contain content received from outside the system such as in anetwork card. The contents of the received information, as it resideswith the device 502, may be scanned for evidence of malware. Firmwaresecurity agent 516 may make evaluations by comparing the content againstdata or signatures in a whitelist or blacklist.

In yet another example, security rules 518 may include rules forfirmware security agent 516 to evaluate a command based upon time orpermissions. A device 502 such as a network device or disk may beprotected from reads or writes during times when no legitimate activityshould be conducted. For example, certain malware may attack disk drivesduring boot. Thus, firmware security agent 516 may prevent any writes tothe device during the time that the disk is being booted. Similarly,permissions may be set by an administrator of the system in which device502 resides about when or how devices or systems can be used. Forexample, an administrator of the system in which device 502 resides mayset a device to be unusable outside of business hours. A network deviceon the system may have no legitimate purpose to transport activityoutside of business hours, and thus based on the permissions in securityrules 518, reads and writes of the network device may be blocked byfirmware security agent 516. Such use may block, for example, deliberateactivity by an actual user of the device, or by malware using thenetwork device to conduct a denial-of-service attack.

In still yet another example, security rules 518 may include rules forfirmware security agent 516 to evaluate a command based upon parametersused with the I/O commands. Such parameters may include, for example,the address to which a write command will write. Security rules 518 mayinclude a rule indicating that a particular portion of a disk device isread-only. Thus, firmware security agent 516 may examine the parametersassociated with an OUT command for writing data to the disk to determinethe address to which the data will be written, and block the command ifthe attempted write is to a portion of disk that is write-protected by arule in security rules 518. Firmware security agent 516 may considersuch a parameter in conjunction with other bases such as content or theentity which originated the call. For example, scanning the content ofdata to be written may be expensive, and accordingly a security rule 518may configure firmware security agent 516 to scan data to be writtenonly if data is to be written to certain ranges of addresses. In anotherexample, security rules such as security rule 518 may only allow certaincalling entities to write or read from certain portions of the diskdevice. Thus, firmware security agent 516 may trap the attempted writeor read and not allow the attempt until the identity of the callingentity may be securely determined. Such a determination may be made byevaluating information in the parameters used to call the devicefunction, as some such functions may identify the calling device driveror application. In such a case, firmware security agent 516 may take anyappropriate steps to determine the validity of the call. In oneembodiment, firmware security agent 516 may consult a whitelist orblacklist in security rules 518 to determine whether the calling entityis authorized to make such a call. In another embodiment, firmwaresecurity agent 516 may communicate with other security agents in thesystem containing device 502 to determine whether the callingapplication or device driver is valid. Such other security agents mayhave validated the operation of the calling application or devicedriver, or may communicate with in-O/S security agents that may haveverified such operations. In yet another example, the existing drivercalls to a device such as device 502 may not identify the callingentity. Accordingly, no parameters may be available. In such an example,firmware security agent 516 may be configured to pass the triggeredevent or otherwise consult with other security agents in the system todetermine the context of the call which resulted in the attemptedaccess. Such other security agents may be able to provide suitablecontext for the call to determine whether an authorized entity made theattempt.

In a further example, security rules 518 may include rules for firmwaresecurity agent 516 to evaluate a command based on information from theenvironment in which device 502 resides. Other security agents in thesystem may have detected a malware infection that is difficult toremove, or may require direct intervention from an administrator toclean. The other security agents in the system may have observedsuspicious behavior, and the nature of the behavior has not yet beencompletely analyzed. In such a case, firmware security agent 516 mayreceive notification of such an existing threat from the other securityagents. Security rules 518 may thus dictate preventative actions forfirmware security agent 516 depending upon the type of infection. Forexample, firmware security agent 516 in a keyboard device may receivenotification that evidence of a particular type of malware known forkeylogging has been detected but cannot yet be removed. Security rules518 may thus dictate that firmware security agent 516 disallow all readsand writes from the keyboard device to prevent a compromise of theinformation being communicated with the keyboard.

Firmware security agents 516 may protect the I/O of different types ofdevices in different ways. For example, a firmware security agent 516 ofa display device may shut down portions of the display, depending uponthe malware threat. Firmware security agent 516 may block the display ofcertain patterns, causing a watermark to be produced on the screen.Firmware security agent 516 may trap the attempted display of aparticular pattern. Firmware security agent 516 may intercept attemptedreads of information from the device in order to preventscreen-captures.

In another example, a firmware security agent 516 for a keyboard devicemay optionally encode or decode its results in communication with therest of the system. Such encryption may be set by the firmware securityagent 516 upon notification that a malware threat such as a keylogger ispresent.

In yet another example, a firmware security agent 516 for a networkdevice may trap based upon source Internet Protocol (“IP”) address,source port number, data to be sent or received, destination IP address,or destination port number. Once such an attempt to use the networkdevice is trapped, firmware security agent 516 may scan the data payloadof packets to be sent or received for evidence of malware. In oneembodiment, such data payloads may be sent to another security agent ora protection server, wherein the contents may be scanned for evidence ofmalware. The contents of the data payload may be encrypted such that apacket sniffer may not successfully intercept the contents. Attemptedoperations on the network device may be trapped due to security risksassociated with communicating with unsafe network destinations, whereinnetwork communication with a malicious destination may compromise thesecurity of the system in which device 502 resides. Attempted operationsmay be trapped due to the sensitive nature of particular sets of data,such as a banking website. In such a case, upon receipt of data fromsuch a website, the data may be encrypted by firmware security agent 516before being passed to another security agent or to the calling entity.Such encryption may prevent a packet sniffer or filter in the system ofdevice 502 from successfully intercepting the information.

The specific I/O commands 510 to be trapped may depend on the specificdevice and the operations of that device. Thus, the maker of device 502may decide how to configure the operation of a firmware security agent516 for a particular device 502. The maker of device 502 may decide howmuch to expose the functionality of device 502 to other security agents.For example, device 502 may be configured to require validation withother security agents before handing off triggered events to suchsecurity agents.

In operation, one or more below-O/S security agents may be running inthe firmware of system 400 or of the components of system 400. Firmwaresecurity agent 440 may be operating in display 424, firmware securityagent 442 may be operating in storage 426, and PC firmware securityagent 444 may be operating in main PC firmware 408. Below-O/S agent 450and in-O/S agent 412 may be operating in system 400. Each security agentmay communicate with one or more other security agents in system 400.Each such security agent may validate the instance of another securityagent before accepting communication. Protection server 402 maycommunicate with one or more of the security agents after validating thesecurity agent.

PC firmware security agent 444 or below-O/S agent may be designated as amain security agent. The main security agent may communicate withprotection server 402 to determine security rules. The main securityagent may store the security rules locally to the main security agent.The main security agent may distribute security rules to each of thesecurity agents, wherein the security rules may be stored locally to thesecurity agent. The security rules may be customized for the type, make,or model of the device to reduce the expense of a large set of securityrules.

Upon receipt of security rules such as rules 434, a device such asdisplay 424 may set flags in a control structure within the devicefirmware 430 corresponding to operations of the device that are to betrapped. Similar tasks may be performed by storage 426.

An application 410 or driver 411 may try to access a device such asdisplay 424 or storage 426. Application or driver 411 may make such anattempt by calling the kernel of operating system 412, which in turn maycall operating system device drivers, which in turn may send the requestto the component 424, 426.

The request may arrive at a device such as storage 426. Firmwaresecurity agent 442 running on the device may filter such a requestthrough monitoring data transmission engine 412 of the storage 426 witha control structure. The request may take the form of an I/O command 510made available by the storage 426. If the request matches any flags thathave been set by firmware security agent 442, the request may be trappedand a resulting event may be triggered. Firmware security agent 442 mayconsult security rules 436 to determine how to handle the triggeredevent.

In one embodiment, the triggered event may be handled by firmwaresecurity agent 442, and based upon the information available such asassociated data, the command, contextual information, time, orenvironmental information, corrective action many be taken. Suchcorrective action may include allowing or denying the request, removingmalicious code or data, or encrypting data to be transferred. Othercorrective action may include sending information to be passed toprotection server 402 concerning the trapped event. Firmware securityagent 442 may inform other security agents about the status of thetrapped event, so that other such agents may also take corrective actionafter consulting their respective security rules. For example, iffirmware security agent 442 detects a malware attack of unknown origin,firmware security agent 440 may lock out additional access to thedisplay 424.

In another embodiment, the triggered event may be transferred to anothersecurity agent for handling, such as in-O/S security agent 418, PCfirmware security agent 444, or below-O/S agent 450. The receivingsecurity agent, for example, PC firmware security agent, 444, may handlethe triggered event by consulting security rules 438. Based upon theinformation available such as the data, command, contextual information,time, or environmental information, the request represented by thetriggered event may be allowed or denied by PC firmware security agent444. PC firmware security agent 444 may communicate with in-O/S securityagent 418 to determine contextual information concerning the attemptedaccess of resources. PC firmware security agent 444 may communicate withprotection server 402 for additional information on how to handle thetriggered event. PC firmware security agent 444 may send instructionsfor resulting action back to the originating firmware security agent442. PC firmware security agent 444 may send information concerning thetriggered event to protection server 402 to be analyzed or recorded.Such analysis or recording may be conducted when the malicious nature ofa triggered event is unknown. PC firmware security agent 444 may notifythe security agents of system 400 that a particular kind of malware hasbeen detected, a kind of suspicious activity has been detected, or thatthe system 400 is under a malware attack.

Upon receipt of information from PC firmware security agent 444,firmware security agent 440 may take corrective action. Such action mayinclude allowing or denying the attempted access, encrypting data to betransferred, or removing malicious code or data.

FIG. 6 is an example embodiment of a method 600 for firmware-basedconfigurable protection for an electronic device from malware. In step605, the identity and security of a below-O/S security agent, in-O/Ssecurity agent, protection server, and firmware security agent may beauthenticated. Such authentication may be done through any suitablemethod, including by locating and verifying the images of each locatedin memory, cryptographic hashing, or secret keys. Until step 605 iscompleted, operation of other steps may be withheld.

In step 610, a protection server may be accessed to determine securityrules. Such security rules may be used to make decisions in thefollowing steps. In step 615, the firmware security agent may beinstructed to trap access to system resources. Such access may arisefrom applications, drivers, or operating systems running on theelectronic device. The firmware security agent may be instructed as towhat system resources of the electronic device are to be monitored. Thefirmware security agent may also be instructed as to what operations onthe monitored system resources are to be trapped. For example, read andwrite commands to a device on which the firmware security agent isrunning may be identified to be trapped. In step 620, flagscorresponding to such operations to be trapped may be set in a controlstructure. Such trapped operations may generate a triggered event.

The electronic device may operate and be protected by one or more of thetrapping of access of system resources in steps 630-675, or scanningdata for the presence of malware in steps 680-685. Each of trapping theaccess of system resources and scanning data for the presence of malwaremay be conducted in parallel. Further, each of these may be repeated asnecessary to protect the operation of the electronic device.

In step 630, the access of a system resource such as system memory,registers, or I/O devices may be trapped. Such trapping may be conductedbelow the level of operating systems running on the electronic device.Such trapping may be conducted within firmware. In step 632, a resultingtriggered event may be generated associated with the trapped attempt, aswell as any associated information. In step 635, it may be determinedwhether the triggered event should be presently handled or passed toanother security agent for handling. Such a determination may be made byaccessing one or more security rules. If the triggered event should bepresently handled, then in step 640 the security rules may be accessedto determine what actions to take based on the trapped event and otherinformation, such as associated data, the command, contextualinformation, time, or environmental information. For example, the datato be written or read may be scanned for sensitive or malicious content;the calling entity may be identified to see if the entity haspermission; the parameters used to call the command may be examined; oralerts about malware in the system from other security agents may bereferenced.

In step 642 it may be determined whether the attempted access wassuspicious or not. If accessing the security rules in combination withinformation associated with the attempted access yields a determinationthat the attempted access is not suspicious, then in step 645 theattempt may be allowed. If it is determined that such an attempt issuspicious, then in step 647 corrective action may be taken. Suchcorrective action may include removing malicious content from data,informing a protection server or other security agents about thepresence of a malicious attempt, disallowing the attempted access, orencrypting data to be transferred. If the attempt is not suspicious,then in step 650 the triggered event may be allowed.

In step 655, if it is determined that another security agent is tohandle the triggered event, the triggered event is passed to anothersecurity agent for handling. In step 670, a response from the securityagent may be received indicating appropriate action to be taken. In step675, such action may be taken, such as corrective action or allowing theoperation of the triggered event.

In step 680, memory of a device may be scanned for the presence ofmalware. Such memory may contain contents that have arrived from anotherentity, such as another network card or the results of a previouslyexecuted file read. If the contents of the memory are known to bemalicious, suspicious, or unknown, then in step 685, the contents of thememory may be removed.

In step 690, if an attempted access was denied, or if suspiciouscontents were found, then such an event may be reported to anothersecurity agent or a protection server. Such a report may includeinformation regarding any associated malware or suspicious behavior.

The steps of method 600 may be repeated as necessary to protect theelectronic device continuously, periodically, or upon demand.

FIG. 7 is an example embodiment of a microcode-based system 700 forprotection of an electronic device 204 against malware. System 700 maybe an example embodiment of system 100, implementing certain elements ofsystem 100 in a microcode. The trapping operations of system 700 may beconducted below the operating systems of electronic device 701. System700 may include one or more below-O/S security agents configured to trapattempted use of access to the resources of the electronic device 204,generate a triggered event corresponding to the attempt, consultsecurity rules regarding the triggered event, and take corrective actionif necessary regarding the attempt. Such below-O/S security agents maybe configured to intercept information generated from resources of theelectronic device 701, generate a triggered event corresponding to thegeneration, consult security rules regarding the triggered event, andtake corrective action if necessary regarding the attempt. One or moreof such below-O/S security agents may be implemented fully or in part ina processor of system 700. The below-O/S security agents may beimplemented fully or in part in microcode (“μC”) of such a processor.The system resources 724 of electronic device 701 that may be protectedby system 700 may include, for example, resources similar to the systemresources 224 of FIG. 2, physical memory 714, processor flags 716,exceptions 718, registers 720, or interrupts 722.

System 700 may include a microcode-based below-O/S security agent suchas microcode security agent 708. Microcode security agent 708 may residewithin the microcode 708 of a processor such as processor 704. In oneembodiment, microcode security agent 708 may be configured to trapattempted access of system resources 724 made by portions of system 700such as application 710, driver 711, or operating system 713. Microcodesecurity agent 708 may be configured to create a triggered event basedon such an attempted access of system resources 724. For example,operating system 713 may attempt to launch a program by attempting toexecute a segment of code in an address in physical memory 714. Inanother example, operating system 713 may attempt to read or write anaddress in physical memory 714. Although physical memory 714 is shown,microcode security agent may be configured to trap an attempt to accessvirtual memory. In another embodiment, microcode security agent 708 maybe configured to trap attempted communication of information from otherportions of processor 702, such as microcode modules 710. Microcodemodules 710 may include other portions of processor 702 configured toconduct the operation of processor 702 to execute instructions. Suchattempted communication of information may include the results ofoperations from system resources 724. For example, during the processingof code, and divide-by-zero operation may be intercepted by a microcodemodule 710 and may attempt to generate and communicate an exception 718.

Microcode 706 may include hardware-level instructions for carrying outhigher-level instructions received from elements of system 700 such asoperating system 713. Microcode 706 may translate such higher-levelinstructions into circuit-level instructions to be executed by processor702. Microcode 706 may be specific to the electronic circuitry or typeof processor embodied by processor 702. Microcode 706 may be configuredwith the specific contents of microcode 706 upon the creation ofprocessor 702. The ability to update or reprogram microcode 706 onprocessor 702 may be limited. Microcode 706 may reside in an internalprocessor memory 704. Internal processor memory 704 may be a high-speedmemory separate from the system memory of system 700, such as memory703. In one embodiment, internal processor memory 704 may beread-only-memory. In another embodiment, microcode 706 may reside in aprogrammable logic array included in internal processor memory 704. Inyet another embodiment, internal processor memory 704 may include or beimplemented as a memory store or a control store. In such an embodiment,internal processor memory 704 may be implemented partially or in full bystatic-random-access-memory or flash memory. In such an embodiment,microcode 706 may be configured to be loaded into the memory store fromsome other storage medium, such as memory 703, as part of theinitialization of the processor 702, and may be configured to beupdated, reinstalled, or receive new information such as security rulesor machine instructions through data written to the memory store.

Microcode security agent 708 may be configured to access security rules707 to determine what operations, commands, communications, or otheractions to trap. Security rules 707 may reside within microcode 706, oranother suitable portion of processor 702 or system 700. Security rules707 may be implemented by functional calls from entities outsideprocessor 702, such as other security agents making calls to microcodesecurity agent 708 and passing information through parameters. Microcodesecurity agent 708 may be communicatively coupled to security rules 707.In one example, a security rule 707 may have logic such as:

-   -   If address (x) is executed by code in virtual memory range        (X1-->X2) or physical memory range (Y1-->Y2), then generate a        triggered event to below-O/S agent for handling;    -   If address (x) is executed by code in physical memory range        (Z1-->Z2), then skip instruction;    -   If A, B, and C; then memory range (Y1-->Y2) may access memory        range (X1-->X2); and    -   Only code from memory ranges (Y1->Y2) and (T1->T2) may write to        (Z1-->Z2).

Microcode 706 may include a state machine to understand the context ofinstructions that have been received. Such information may be needed tocarry out certain security rules 707 which, for example, evaluatesuccessive operations within the context of each other. Such informationmay be passed with a triggered event.

One or more of the below-O/S security agents of system 700 may also beembodied in below-O/S agent 712. Below-O/S agent 712 may be implementedin any suitable manner for providing triggering of access of resources,or handling of such triggers, below the level of operating systems ofelectronic device 701 such as operating system 713. Below-O/S agent 712may embody some or all of the functionality of SVMM 216 or SVMM securityagent 217 of FIG. 2; firmware security agent 440, 442 or PC firmwaresecurity agent 444 of FIG. 4; or firmware security agent 516 of FIG. 5.Below-O/S agent 712 may be communicatively coupled to security rules723.

In one embodiment, one or more of the below-O/S security agents ofsystem 700 such as below-O/S agent 712 may be configured to handletriggered events generated by microcode-based security agents such asmicrocode security agent 708. Below-O/S agent 712 may be configured toalso trap access to resources or handle triggered events in a similarfashion as below-O/S agents in FIGS. 1-2 and 4-5. Below-O/S agent 712and microcode security agent 708 may be communicatively coupled.Microcode security agent 708 may be configured to send triggered eventsto below-O/S agent 712. Below-O/S agent 712 may be communicativelycoupled to other security agents such as in-O/S security agent 719, andmay be communicatively coupled to protection server 202. Below-O/S agent712 may be configured to receive contextual information from othersecurity agents such as in-O/S security agent 719. Such information mayprovide information about the entity which generated an attempted accessto system resources 724. If more than one in-O/S security agent 719 ispresent in system 700, each in-O/S security agent 719 may be configuredto perform a designated portion of the trapping, validating, or othertasks associated with in-O/S security agent 719. Such portions may bedefined by below-operating-system security agents. For example, onein-O/S security agent 719 may validate or investigate MOV instructions,while another in-O/S security agent 719 may validate or investigate JMPinstructions.

Below-O/S agent 712 may also be configured to receive security rules orjust-in-time information from protection server 202. Furthermore,below-O/S agent 712 may be configured to consult security rules such assecurity rules 723, any received contextual information from othersecurity agents such as in-O/S security agent 719, or protection server202 in order to determine how to handle a received triggered event frommicrocode security agent 708.

In particular embodiments, below-O/S agent 712 may contain a behavioralstate machine, to understand the context of operations encountered insystem 700. Below-O/S agent 712 may then be configured to determine anappropriate action to be executed by microcode security agent 708 basedupon the context. Such action may include a corrective action, allowingan operation, denying an operation, or taking other steps in furtheranceof the requirements of a security rule. Microcode security agent 708 maybe configured to take such actions as received from below-O/S agent 712.

Below-O/S agent 712 may be also be configured to determine anappropriate action to be executed by another security agent, such asin-O/S security agent 719. For example, if a triggered event frommicrocode security agent 708 indicates a particular kind of malwarethreat, or a threat to a particular portion of the kernel or user modeof electronic device 701, below-O/S agent 712 may be configured toinstruct in-O/S security agent 719 to take a corrective action. Thus,below-O/S agent 712 may control in-O/S security agent 719.

Below-O/S agent 712 may be configured to validate the instance ofmicrocode security agent 708, and vice-versa. Below-O/S agent 712 may beconfigured to communicate with microcode security agent 708 to share orset security rules such as those from security rules 723 to beimplemented in security rules 707, status information regarding system700, administrator or environmental settings and preferences, or othersuitable information for microcode security agent 708 to trapoperations, generate triggers, and handle such triggers or send them toother security agents.

Below-O/S agent 712 may be configured to communicate such information tomicrocode security agent 708 through any suitable mechanism. Below-O/Sagent 712 may call functions of the processor 702, microcode 706, ormicrocode security agent 708, and pass information as parameters to thefunctions. Such functions may be created specifically to pass suchchanges to microcode security agent 708. For example, to ban the accessof a range of physical memory “A” from any entity operating from thememory from another range of physical memory “B,” a function such as“Bar_Memory(A, B)” could be used. Microcode security agent 708, as aresult of this function being called, may be configured to setparameters within microcode 706. Calling such microcode instructions maybe privileged, such that microcode security agent 708 may be configuredto validate below-O/S agent 712 before calling such microcodeinstructions on behalf of below-O/S agent 712. In another example,below-O/S agent 712 or microcode security agent 708 may communicate suchinformation by writing data to a memory store, control store, or otherwriteable portions of processor 702 or microcode 706.

Processor 702 may have limited resources for microcode security agent708 to fully implement all necessary trapping and handling to protectsystem 700 from malware. In one embodiment, microcode security agent 708may be configured to implement only trapping of actions to be conductedby processor 702, and may offload triggers associated with such trappingto other security agents or components of system 700 for subsequenthandling. Microcode security agent 708 may take subsequent action, suchas allowing or disallowing a request or communication, or may take otheraction such as reporting information. In another embodiment, microcodesecurity agent 708 may be configured to implement handling of a smallportion of triggered events. Suitable triggered events for such handlingmay include those not requiring significant contextual information. Forexample microcode security agent 708 may receive information throughsecurity rules 707 that a particular range of memory addresses is to beprotected from all reads and writes, unless an instance of below-O/Sagent 712 has been validated. Such a security rule may be implementedbecause the contents are quite sensitive, and without the operationalassistance of below-O/S agent 712, the identity of the entity accessingthe memory contents cannot be identified. Thus, after validating theinstance and operation of below-O/S agent, microcode security agent 708may set a bit indicating such validation. If an attempted access of thememory is triggered, and the bit has not yet been set, then microcodesecurity agent 708 may be configured to disallow the reading, writing,or execution of the contents of the memory range. If the bit has beenset, then microcode security agent 708 may be configured to then trapthe attempted access to the memory range, generate a triggered event tobe sent to below-O/S agent 712, which would evaluate from contextualinformation and other settings whether the calling entity was allowed toaccess the memory range. Below-O/S agent 712 may then send a resultingaction back to microcode security agent 708, perhaps indicating whetherto allow or deny the access.

A triggered event may include any suitable information that may be usedfor identification of the source, method, or destination of theattempted action. The triggered event may be used by microcode securityagent 708 or below-O/S security agent 712 to apply security rules. Thetriggered event may be generated by microcode security agent 708. Forexample, the triggered event may detail precisely what resource wasaccessed, what instruction was called, what instruction operands wereused, from what memory address the attempt or instruction came from(i.e. the source memory), into what memory the operation's result was tobe stored in (i.e. the target memory) or what memory will be affected,or any other information leading to identification of the source,method, or destination of the attempted action. Microcode security agent708 may also be configured to include information regarding processor702 such as processor states of active, sleep, idle, halt, and reset;interprocessor communications; and power consumption.

Another security agent such as below-O/S agent 712 may be configured touse such information in a triggered event to determine the scope of theevent when applying a security rule 722. Below-O/S agent 712 may haveaccess to additional clues such as information about the entitiesoperating in operating system 713, new information in protection server202, malware or other threats detected by other security agents,administrator settings, etc. For example, given a trapped requestoriginating from a particular address in physical memory, below-O/Sagent 712 may be able to determine the thread, process or applicationassociated with the particular address. Then, below-O/S agent 712 may beconfigured to determine whether such an entity is authorized to take theaction in question. Below-O/S agent 712 may be configured to determinethe identity of the entity. Below-O/S agent 712 may be configured toclassify the entity as known to be safe (e.g., by consulting awhitelist), known to be malicious (e.g., by observing behavior orconsulting a blacklist of known malware), or unknown. Below-O/S agent712 may be configured to report information about unknown and maliciousentities to protection server 202.

Microcode security agent 708 may have access—for trapping purposes—tocertain processor 702 resources and other system resources 724 that maybe unavailable to other security agents. In one embodiment,implementation of microcode security agent 708 within the microcode 706may avoid limitations created by limited exposure of such resources tocalling entities outside of the processor. For example, a virtualmachine monitor may be limited to trapping operations on resources whichhave been exposed by processor 702 for virtualization purposes. Take asa further example the ability to trap an attempted read, write, orexecute upon memory. A virtual-machine-monitor-based security agent mayonly have access to memory as it is available to be virtualized, and, asa consequence, may only be able to trace attempted read, write, orexecution attempts to a memory page. In contrast, microcode securityagent 708 may be able to intercept and handle a read, write, or executerequest to a specific physical memory address, and evaluate the requestbased upon security rules 707. The smaller granularity may providegreater flexibility in providing security solutions in system 700. Theinstruction-level awareness of what instruction was used in context witha specific physical memory address informs system 700 of which entitycalled what resource, and not merely that a memory page was accessed.This flexibility may be very valuable. For example, microcode securityagent 708 may monitor two adjacent memory addresses for read, write, orexecute attempts, but may be directed by security rules 707 to takecompletely different actions based upon which of the two memoryaddresses were accessed. With a view only into the memory page on whichan attempt is made, such a distinction in rules may fail to be applied.In another example, other methods by hypervisors for monitoring andsetting debug registers did not have the context of the instructionswhich were used to access the debug registers, as does system 700. Inaddition, some other entities for setting or watching such debugregisters do not run below the level of the operating system, makingthem more prone to malware. Finally, some other entities for setting orwatching such debug registers are not directed towards security, and arenot capable of accessing security rules, evaluating the access, andtaking a corrective action.

Corrective actions to be taken by microcode security agent 708 mayinclude any suitable action determined by security rules 707 or receivedfrom below-O/S agent 712. Commands or instructions may be allowed ordenied. Information generated from microcode modules 710 may be allowedor suppressed. Any such commands, instruction, or information may bemodified.

Microcode security agent 708 may be configured to trap the generation ofinterrupts. The interrupts may be trapped by trapping, for example, anexecution of an “INT” instruction, followed by reading relevantregisters known to host information associated with an interrupt. Forexample, general purpose registers may be read to learn the codeidentifier of the interrupt, as well as the parameters used to call it.For example, interrupt 13 may be a disk interrupt, and a known set ofregisters may identify the interrupt as a read or write, as well asrelevant sectors and locations of data.

Microcode security agent 708 may be configured to trap values beingwritten to input and output ports of processor 702. Microcode securityagent 708 may be configured to trap values being written to input andoutput devices by processor 702. Microcode security agent 708 may beconfigured to trap on instructions for making such writes or reads.

Microcode security agent 708 may also be configured to trap certainoperations of an arithmetic logic unit (“ALU”) of processor 702. Aseries of operations on the processor corresponding to the steps of aprotected hashing algorithm may be trapped to determine unauthorizedaccess of the function. Some arithmetic operations are used by malwareto disguise or morph themselves. Certain arithmetic instructions,bitwise instructions, or MOV instructions are all instructions thatmight cause a change in the content of a memory page or address range.By trapping such instructions, changes to a code section or data sectionmay be recorded. If subsequent analysis shows that the code section ordata section was modified as part of self-modifying malware, then thetrapped and recorded instructions may be used to track the encryptionalgorithm used by the malware. For example, it may be determined thatthe malware uses an XOR function with a particular key to morph itself.Such information may yield better security rules for detectingself-modifying malware. Further, by keeping track of memorymodifications, repair logic may be achieved by reversing the applicationof the instructions.

In addition, microcode security agent 708 may be configured to conductdigital-rights-management operations. For example, microcode securityagent 708 may be configured to receive a security rule 707 indicatingthat authorization to run a particular program is required. Theparticular program may be located at a specific address in memory. Suchan authorization may take the form of the microcode security agent 708receiving, for example, an authorization code, key, or byte frombelow-O/S security agent 712. Such an authorization may be accomplishedby microcode security agent 708 trapping attempted access on the memoryor loading of the programs instructions, and sending the triggered eventto below-O/S security agent 712, which in turn may have access to theauthorization code, key, or byte. The below-O/S security agent 712 mayreturn the decision to the microcode security gent 712. Thus, operationof the program may be allowed or disallowed based on the authorizationcode.

Furthermore, microcode security agent 708 may be configured to stop theexecution of specific code in memory based upon a hash or a checksum ofthe memory. Such a hash or checksum may be indicated by a security rule707 as malicious. As the code is loaded from memory, microcode securityagent 708 may conduct the hash or checksum of the contents, compare itwith those of known malicious code, and then deny the attempt to loadand load a repair function to eliminate the offending code.

Below-O/S agent 712 may be configured to inform other security agents ofsystem 700, including microcode security agent 706 that it has beendetermined that system 700 has been infected with malware, encounteredsuspicious behavior, or otherwise been compromised. In such a case,microcode security agent 706 may be configured to disable operation ofportions of processor 702. Microcode security agent 706 may beconfigured to disable such operations by trapping and denying requeststo specific system resources 724, or generated communication frommicrocode modules 710. Portions of processor 702 may be disabled becausethey are sensitive, or likely to be misused by malware.

Microcode security agent 706 may be configured to protect a memoryaddress or a range of memory addresses from attempts to load, read,write, or execute attempts. Such memory may include sensitive data, ormay be the initialization point for a restricted, sensitive, orprotected function. Microcode security agent 706 may prevent access tosuch memory where there is no verification that the accessing softwareis safe or neutral. In such a case, security agents such as below-O/Sagent 712 may identify specific memory addresses to be protected,perhaps because such memory addresses may correspond to the examplesensitive information or protected routines. Below-O/S agent 712 maysend microcode security agent 708 information such as security rules 707regarding which addresses to protect. Microcode security agent 708 maytrap attempted loading, executing, reading or writing to such memoryaddresses and send a corresponding triggered event to below-O/S agent712. Below-O/S agent 712 may determine whether the calling software issafe or neutral according to security rules 723, information fromprotection server 202, a whitelist, or any other suitable informationsource. Below-O/S agent 712 may return an action to be implemented backto microcode security agent 708. Microcode security agent 706 may beconfigured to protect a page or range in virtual memory and/or anaddress or range in physical memory. Microcode security agent 706 may beconfigured to translate virtual memory pages, locations, or addressesinto physical memory locations or addresses. Thus, given a virtualmemory location to trap, or a virtual memory location from where anattempt originated, microcode security agent 706 may be configured todetermine the corresponding physical memory locations, or vice-versa.

Furthermore, microcode security agent 708 may be configured to protectthe access of sensitive code. In one embodiment, microcode securityagent 708 may be configured to protect the access of sensitive code inthe manner described above by monitoring access of a particular address,wherein the address represents the beginning of the code as it is storedin memory. In another embodiment, microcode security agent 708 may beconfigured to monitor the execution of “JMP” or similar branchinginstructions which would move the operation of processor 304 into themiddle of sensitive data or code. In such a case, microcode securityagent 708 may be configured to trap the execution of “JMP” instructionsin combination with the sensitive memory ranges. Microcode securityagent 708 may be configured to analyze from where the “JMP” instructionoriginated. The microcode security agent 708 may be configured togenerate a triggered event corresponding to the trapped “JMP” attemptedexecution, which may be handled by below-O/S agent 712. The below-O/Sagent 712 may be configured to take into account where the “JMP”instruction originated, and whether such memory where the “JMP”instruction originated is authorized to access the memory in question.

Microcode security agent 708 itself, or the trapping functionalitytherein may also be configured to be enabled or disabled by otherportions of system 700. Such capabilities may be useful if trapping andhandling events are expensive, thus possibly harming system performance.Such enabling and disabling may be based upon the use of particularlysensitive programs or data, detection of a malware threat,administration preferences, or any other suitable reason. In oneembodiment, microcode security agent 706 may be configured to receive aMSAOn signal, VMXOn signal, or other instruction from below-O/S agent712 to begin security processing and trapping. Microcode security agent708 may receive an MSAOff signal, “VMWrite VMXOff” signal, or otherinstruction to stop security processing and trapping. Before beginningor stopping security processing and trapping, microcode security agent708 may validate the identity and instance of the security agent makingthe request.

Furthermore, microcode security agent 708 may be configured to interceptinterprocessor messages and commands between processor 702 and otherprocessors of electronic device 701. Such interprocessor commands may bereceived by an appropriate microcode module 710 or be attempted by anentity of electronic device 701 accessing particular system resources724. In one embodiment, interprocessor commands may be sent fromsoftware accessing processor 702 from operating system 713 by way of amachine state register. Malware may try to send such messages, forexample, to turn off processors or put them in sleep mode. Microcodesecurity agent 708 may be configured to trap the attempted writes to,for example, the MSR register that correspond to interprocessorcommands. A triggered event for the trapped command may be sent tobelow-O/S agent 712 for handling to verify the source of the attempt.

Microcode security agent 708 may be configured to intercept thegeneration and communication of messages from the processor such assoftware interrupts 722. Microcode security agent 708 may be configuredto control the execution of an interrupt such that they may be accessedby authorized software only. For example, drivers without a knownidentity (such as determined by hashes, source of driver in memory,etc.) or a malicious identity will not be allowed to execute softwareinterrupts. Microcode security agent 708 may trap the access of theinterrupt and pass the triggered event to the below-O/S agent 712 forhandling.

In another example, microcode security agent 708 may be configured totrap the generation of exceptions 718 by processor 702. Exceptions mayinclude, for example, divide-by-zero operations, page faults, and debugsignals. Read access to the memory addresses containing these may betrapped by microcode security agent 708 and handled by below-O/S agent712.

Microcode security agent 708 may be configured to protect various datastructures of the processor 702. For example, malware may attack theInterrupt Descriptor Table (“IDT”). In one embodiment, microcodesecurity agent 708 may trap write access attempts to memory locationscontaining the IDT itself. In another embodiment, microcode securityagent 708 may protect the memory locations where functions for changingthe IDT are stored, such as “LOAD IDT” and “STORE IDT.” In anotherexample, microcode security agent 708 may be configured to protect theEFLABS or similar data structure, or flags associated with interrupthandlers. Malware may attempt to subvert the operation of interrupthandlers through the alteration of such resources by unauthorizedsources.

Although microcode security agent 708 may be specific to the particularinstances of a specific type of processor, as different circuitryarrangements may necessitate different microcode instructions, a set ofsecurity rules 707 may be valid for all processors using a giveninstruction set. This may be possible because microcode security agent708 may trap certain instructions, which would not change betweendifferent processors implementing the same instruction set, but thecircuitry where the associated resources may vary and depend upon thecircuitry. For example, a main desktop central processing unit (“CPU”)and an embedded system CPU may both be ISA processors from the samemanufacturer, and thus security rules 707 may be shared at least in partbetween the two types of processors. In contrast, a graphics processingunit on a graphics processor or an automobile embedded processor with adifferent instruction set may not be able to share security rules 707.

In operation, microcode security agent 708 may be running in theprocessor 702 of electronic device 701 and below-O/S agent 712 may berunning below the level of operating system of electronic device 104.Microcode security agent 708 and below-O/S agent 712 may authenticateeach other. Microcode security agent 708 may initiate trapping of accessto system resources 724 and outputs or communication generated bymicrocode modules 710. Microcode security agent 708 may be so initiatedupon demand from below-O/S agent 712, upon a security rule 707, or uponstartup of processor 702. Below-O/S agent 712 may send a securityenablement request to microcode security agent 708 because of anoccurrence in system 700, an administrator or system setting, or becauseof a triggered security rules 723. Such a request may be generated, forexample, because a particular program is to be executed, sensitive datais to be accessed, or a malware threat has been detected elsewhere insystem 700. In-O/S security agent 719 and/or below-O/S system agent 712may authenticate itself to microcode security agent 708. To authenticateitself, in-O/S security agent 719 and/or below-O/S system agent may calla privileged instruction provided by processor 702 to initiate theauthentication process. The call may cause microcode security agent 708measure and authenticate, with a signature or hash, for example, in-O/Ssecurity agent 719 and/or below-O/S system agent 712.

Microcode security agent 708 may receive security rules 707 frombelow-O/S agent 712. Microcode security agent 708 may be updated byfunction calls, or by writes to shared memory such as a memory store.Microcode security agent 708 may apply flags based on security rules 707to a control structure of microcode 706 configured to trap specificinstructions, operands to such instructions, target addresses, sourceaddresses, or any combination thereof. Microcode security agent 708 maytrap attempted accesses of system resources by entities running abovethe processor, such as operating system 713, application 710, or driver711. The operation of microcode security agent 708 may be transparent tosuch entities. Microcode security agent 708 may trap the generation ofinformation such as outputs from instances of other microcode modules710. Such microcode modules 710 may include other portions of microcodeconfigured to perform various tasks for processor 702. For example, someof microcode modules 710 may detect when a processor exception orinterrupt is to be generated, how to route input and output data, orperform mathematical operations. The operation of microcode securityagent 708 may be transparent to such modules. Microcode security agent708 may use a state machine to perform certain trapping predicated onprevious events observed.

Upon trapping an access to a resource or a generation of information,microcode security agent 708 may created a triggered event associatedwith the trapping. Such a triggered event may contain information aboutthe trapping, including contextual information such as the instructiontrapped, parameters used, originating memory locations, and targetmemory locations.

In one embodiment, microcode security agent 708 may handle the triggeredevent. In another embodiment, microcode security agent 708 may pass thetriggered event to below-O/S agent 712 or another security agent forhandling. Microcode security agent 708 may consult security rules 707 todetermine whether and how to handle the triggered event, or to pass thetriggered event to below-O/S agent 712. Microcode security agent 708 maywait for a reply from below-O/S agent 712, or may allow the trappedaction if no follow-up is required by security rules 707. Microcodesecurity agent 708 may take corrective action based on security rules707, such as allowing or denying an instruction, or replacing a value orparameter to be executed.

Below-O/S agent 712 may receive a triggered event from microcodesecurity agent 708. Below-O/S agent 712 may consult security rules suchas security rules 723 to determine an appropriate action to take basedon the triggered event. Below-O/S agent 712 may use triggered eventinformation from microcode security agent 708, contextual informationfrom in-O/S security agent 719, information from protection server 202,determinations from other security agents, administrator settings, time,or other information to determine the appropriate action that should betaken. Below-O/S agent 712 may send actions to be taken to in-O/Ssecurity agent 719 and/or microcode security agent 708. Below-O/S agent712 may send information regarding the triggered event and resultantactions to protection server 202.

Microcode security agent 708 may receive an action to be taken fromanother security agent, such as below-O/S agent 712. Microcode securityagent 708 may execute the received action, such as allowing or denyingan instruction, or replacing a value or parameter to be executed.

FIG. 8 is an example embodiment of a method 800 for microcode-based,personalized and configurable protection for an electronic device frommalware. In step 805, an instance of a microcode security agent may bevalidated. In step 810, an instance of another security agent may bevalidated. Such a security agent may include a below-O/S security agent.In step 815, one or more security rules for trapping at microcode levelwithin a processor may be obtained, sent or received. Such securityrules may be communicated by, for example, function calls or by writingparameters to a shared memory space. In step 820, security trapping ofresources at the microcode level may be initiated. In one embodiment,such initiation may arise from receiving a signal to begin securitytrapping. In such an embodiment, a signal may be received because amalicious attack on a system has been detected, or because sensitivedata may be present in a system. In another embodiment, such initiationmay arise from consultation of a security rule. In yet anotherembodiment, such initiation may arise from the startup of a processor.

In step 825, flags corresponding to operations to be trapped may be setin microcode. Such flags may correspond to specific instructions,operands to such instructions, target addresses, source addresses, orany combination thereof. Such flags may be defined by security rulesthat were received. In step 830, instructions to be executed may bereceived and compared against the trapping flags. In step 835,information generated and to be sent from microcode may be received andcompared against the trapping flags. Steps 830 and 835 may beimplemented by way of a state machine, wherein the steps may berepeated, and the results from multiple iterations of step may beremembered and compared together against a flag or security rule.

In step 840, it may be determined whether an instruction or informationhas been trapped. If nothing was trapped, the method may return tomonitoring instructions and generated information in steps 830 and 835.If something was trapped, then in step 845 a triggered event associatedwith the trapping may be created. Such a triggered event may containinformation about the trapping, including contextual information such asthe instruction trapped, parameters used, originating memory locations,and target memory locations.

In step 850, it may be determined whether the triggered event is to behandled within microcode, or whether a security agent outside microcodeshould handle the triggered event. If the triggered event is to behandled within microcode, then in step 855 an appropriate action for thetriggered event may be taken. Such an action may be defined byconsulting a security rule. Such an action may include allowing aninstruction to be executed or information to be sent, denying theinstruction or communication, replacing values in memory or inparameters, or any other corrective action required. The method 800 maythen continue security monitoring in steps 830 and 835.

If the triggered event is to be handled outside of the microcode, thenin step 860 the triggered event may be sent to a security agent forhandling the triggered event. In step 865, additional informationrelated to the triggered event may be gathered. Such information mayinclude settings, preferences, contextual information, or malwarestatus. Such information may be used in step 870 to apply a securityrule to the triggered event. Such an application may yield a course ofaction to be taken with respect to the triggered event. In step 875 sucha course of action may be specified and transferred to various securityagents which may implement the specified action. Such actions mayinclude corrective actions, allowing an operation or communication totake place, reporting the event to a protection sever, or any othersuitable result. In step 880, the actions specified in step 875 may betaken. The method 800 may then continue security monitoring in steps 830and 835.

FIG. 9 is an example embodiment of a system 900 for regulating softwareaccess to security-sensitive processor resources on an electronic device901. System 900 may include a below-O/S trapping agent 920 and atriggered event handler 922 configured to operate on electronic device901 to detect malicious attempts to access processor resources 924 fromsoftware-based entities running in operating systems of electronicdevice 901 such as operating system 913. Furthermore, below-O/S trappingagent 920 and triggered event handler 922 may be configured to use oneor more security rules 908 to determine what attempted operations orgeneration of information to trap and how to handle a triggered eventcreated corresponding to the trapped operation or information. Below-O/Strapping agent 920 and triggered event handler 922 may be configured toallow, deny, or take other corrective action for the triggered event.

Electronic device 901 may be implemented wholly or in part by orconfigured to implement the functionality of the electronic device 103of FIG. 1, electronic device 204 of FIG. 2, electronic device 404 ofFIG. 4, electronic device 701 of FIG. 7, and/or any combination thereof.Electronic device 901 may include one or more processors 902 coupled toa memory 903. Processor 902 may be implemented wholly or in part by orconfigured to implement the functionality of processor 208 of FIG. 2,processor 408 of FIG. 4, processor 702 of FIG. 7, or any combinationthereof. Memory 903 may be implemented wholly or in part by orconfigured to implement the functionality of memory 206 of FIG. 2,memory 406 of FIG. 4, memory 703 of FIG. 7, and/or any combinationthereof. Electronic device 901 may include an operating system 913,which may include an in-O/S security agent 919 coupled to one or moresecurity rules 921. Operating system 913 may be implemented wholly or inpart by or configured to implement the functionality of operatingsystems 112 of FIG. 1, operating system 212 of FIG. 2, operating system412 of FIG. 4, operating system 713 of FIG. 7, and/or any combinationthereof. In-O/S security agent 919 may be implemented wholly or in partby or configured to implement the functionality of in-O/S security agent218 of FIG. 1, in-O/S security agent 418 of FIG. 4, and/or in-O/Ssecurity agent 719 of FIG. 7, or any suitable combination thereof.

Below-O/S trapping agent 920 may be implemented by or configured toimplement the functionality of below-O/S trapping agent 104 of FIG. 1,SVMM 216 of FIG. 2, firmware security agents 440, 442 or PC firmwaresecurity agent 444 of FIG. 4, firmware security agent 516 of FIG. 5,microcode security agent 708 of FIG. 7, and/or any combination thereof.Triggered event handler 922 may be implemented by or configured toimplement the functionality of triggered event handler 108 of FIG. 1,SVMM security agent 217 of FIG. 2, below-O/S agent 450 of FIG. 4,below-O/S agent 712 of FIG. 7, and/or any combination thereof. Invarious embodiments, some of the functionality of below-O/S trappingagent 920 may be accomplished by triggered event handler 922, or some ofthe functionality of triggered event handler 922 may be accomplished bybelow-O/S trapping agent 920. Furthermore, below-O/S trapping agent 920and triggered event handler 922 may be implemented in the same softwaremodule.

Security rules 908 may be implemented by or configured to implement thefunctionality of security rules 114 of FIG. 1, security rules 222 ofFIG. 2, security rules 434, 436, 438 of FIG. 4, security rules 518 ofFIG. 5, security rules 707, 723 of FIG. 7, and/or any combinationthereof. Security rules 921 may be implemented by or configured toimplement the functionality of security rules 220 of FIG. 2, securityrules 420 of FIG. 4, security rules 721 of FIG. 7, and/or anycombination thereof.

Below-O/S trapping agent 920 may be configured to intercept access to orinformation from any suitable resource, such as processor resources 924.For example, processor resources 924 may be implemented by or configuredto implement the functionality of resource 106 of FIG. 1, systemresources 214 of FIG. 2, portions of components such as display 424 andstorage 426 of FIG. 4, or system resources of FIG. 7. Processorresources 924 may include resources available to a processor such asprocessor 902 for enabling the processor to load and executeinstructions. Such resources may include, for example, data registers928, control registers 930, caches 934, processor flags 936, processorcores 938, processor exceptions 940, or processor interrupts 942. Anattempted access of such a resource may include an instruction such asan assembly language instruction with operands. The processor resources924 on which trapping may be available may depend upon the resourcesexposed by the processor 902. For example, if below-O/S trapping agent920 is implemented in a virtual machine monitor, the processor resources924 available for the below-O/S trapping agent 920 to trap may belimited to processor resources 924 exposed by processor 902 for thepurposes of virtualization. In such a case, processor 902 may includevirtualization extensions for some of processor resources 924. Inanother example, if below-O/S trapping agent 920 is implemented in amicrocode security agent, then processor 902 may have made nearly allresources of the processor 902 available for trapping.

Below-O/S trapping agent 920 may include a processor resource controlstructure (“PRCS”) 926. PRCS 926 may be implemented in a record, datastructure, table, or any other suitable structure. PRCS 926 may containinformation specifying which instructions, information, or attemptedaccess of processor resources 924 are to be trapped. Below-O/S trappingagent 920 or triggered event handler 922 may be configured to set flagsin PRCS 926 corresponding to sensitive operations, information, orresources that are to be trapped. Below-O/S trapping agent 920 ortriggered event handler 922 may be configured to set such flags in PRCS926 according to information contained within security rules 908.

FIG. 10 is an example embodiment of a PRCS 1000. PRCS 1000 may be anexample embodiment of the PRCS 926 of FIG. 9. PRCS 1000 may include atable of entries 1014 of various processor resources that are to betrapped. Each entry may have one or more fields 1004, 1006, 1008, 1010,1012 identifying the resource and the conditions which may yield atriggered event. For example, PRCS 1000 may have fields for a triggerflag 1002, an identifier 1004 of a resource, a type 1006 associated withthe resource, a trigger type 1008, when-to-trigger conditions 1010 aboutwhen to trigger an event, and an execution stage 1012 in which totrigger an event. The implementation of PRCS 1000 may depend upon thenature of the processor whose resources are identified, including thearchitecture (such as Industry Standard Architecture “ISA”) or theresources exposed by the processor 902.

Trigger flag 1002 may include an indication of whether trapping andtriggering for the associated entry 1014 is turned on or off. Such aflag may allow a trapping condition to be loaded in PRCS 1000 as anentry 1014 but yet remain dormant. Thus, PRCS 1000 may be loaded withembodiments of security rules without actively enforcing them. Triggerflag 1002 may be configured to be set by an entity such as the below-O/Strapping agent 920 of FIG. 9. Such an operation may enable ananti-malware system using PRCS 1000 to operate much faster in contrastto a system which would require PRCS 1000 to be populated anddepopulated each time trapping for a particular resource or conditionwas to be enabled or disabled. The ability to turn on and turn off anentry 1014 may enable an anti-malware system to selectively trap certainoperations. Such selectivity may be advantageous if a particulartrapping operation is expensive in terms of time or execution, and thusan entry 1014 might be enabled only when particular conditions aredetected. For example, if a system normally writes many times to aparticular register, trapping on access to that register may be turnedoff until another part of the antimalware system detects suspiciousbehavior indicating a possible malware infection. In such a case, thetrigger flag 1002 of an entry 1014 corresponding to writes of theregister may be set to “ON” to catch any additional malicious attemptsto attack resources.

Resource identifiers 1004 may include an identification of a particularresource of the processor that is to be trapped. For example, anidentifier 1004 may show that the resource is a register such as aparticular data register, address registers such as EAX, a stackregister, a control register, a vector register, stack pointers such asESP, an instruction register, a program counter, an instructionregister, a program status word, a constant register, a floating pointregister, or a conditional register. As other examples, identifier 1004may identify that the resource is an instruction such as “JMP,” “JZ”(jump if condition is equal to zero), “JNZ” (jump if condition is notequal to zero), “MOV” (move a value), or “SysEnter” (a fast call to aRing 0 procedure). As yet further examples, identifier 1004 may identifythat the resource is one of other resources like a cache such as atranslation lookaside buffer; a counter such as a time stamp counter; alogical core such as processor0, processor1 . . . processorN of thesystem; or processor exceptions such as “DIV/0” or interrupts such as aninterprocessor interrupt or other global variables. Resource identifier1004 may be translated into a representation of the address of theinstruction, register, or other resource represented by resourceidentifier 1004. Resource type 1006 may include an identification of theclass or type of resource that the entry 1014 includes. Some entries ofPRCS 1000 may apply to all resources of a particular type.

Trigger type 1008 may include an identification of whether the handlingof a resulting triggered event is synchronous or asynchronous.Synchronous triggers may cause the execution or communication of thetrapped resource to halt until, for example, it is determined whetherthe attempt is indicative of malware. Asynchronous triggers may allowthe execution or communication of the trapped resource to continue,while the trigger is, for example, recorded for future evaluation. Inone embodiment, attempted accesses of resources triggered asynchronouslymay be used to build an evaluation of a larger series of actions, andthe proper evaluation of such a series of actions may require multipledata points before a determination can be made. For example, whether aparticular read of an instruction pointer register may not itself bemalicious, but a subsequent use of the information returned may bemalicious. Thus, a state machine may be used to first asynchronouslytrap the read of the instruction pointer register, but thensynchronously trap its usage in another instruction.

When-to-trigger conditions 1010 may include logical rules or conditionsunder which a triggered event will be generated based on the access ofthe resource. For example, triggered events may be generated for aregister when the resource is written to or read. Triggered events maybe generated for an instruction such as “JMP” when the instruction isexecuted. Triggered events may be generated for a cache such as aTranslation Lookaside Buffer when the cache is invalidated. Triggeredevents may be generated for a processor core depending upon the state ofthe processor, such as when the core is idle. An processor exception orprocessor flag may be triggered when the flag or exception is set orwritten. When-to-trigger conditions 1010 may include compound logicalconditions, such as multiple conditions on a single resource (such as avalue range), conditions on multiple resource (thus tying in multipleentries 1014), or a combination of both.

When-to-trigger conditions 1010 may contain conditions according to thetype of resource that is to be trapped. For example, a register may betriggered when it is written, written with a particular value, or read.In another example, a cache or pointer may be similarly triggered whenit is written, written with a particular value, or read. In yet anotherexample, a processing core may be triggered when the core is idle. Instill yet another example, interprocessor interrupts such as one used tocommand processor cores to halt, sleep, or activate may be triggeredbefore the interrupt is sent (upon attempted access of the global spaceof the interrupt table) or after the interrupt is sent (after theinterrupt table is written).

Execution stage to trigger 1012 may include an indication of in whichstage of the execution of an instruction the attempted access will betrapped and a triggered event generated. Execution stage to trigger 1012may be used in combination with when-to-trigger conditions 1010 as anadditional requirement to trap a given resource. To trap a given entry,when-to-trigger conditions 1010 may be evaluated when the associatedinstruction reaches the stage of execution specified in execution stageto trigger 1012. Execution stage to trigger 1012 may include entriescorresponding to, for example, five stages or steps of the execution ofan instruction by a processor. In one embodiment, five such stages ofexecution of an instruction may include 1) fetching the instruction, 2)decoding of the instruction, 3) execution, 4) accessing a memorylocation for the results, and 5) writing a return value back to memory,register, or another location. In such an embodiment, execution stage totrigger 1012 may include the ability to trigger before or after any ofthe five stages. This provides a total of six different exampletriggering options—before fetching, after decoding (and thus beforeexecution), after execution (and thus before accessing a memorylocation), after accessing a memory location (and thus before writing areturn value), and after writing a return value. The ability to trapbased upon the stage of execution may provide significant flexibilityunavailable in other anti-malware systems. For example, the result ofexecuting a particular instruction may be unknown beforehand, and thusan anti-malware system may set the value of execution stage to trigger1012 to be after accessing a memory location for the results, but beforewriting a return value back to a register as commanded by theinstruction. This may allow the anti-malware system to evaluate theresults of the operation without allowing it to be written. If theresults indicate a malicious operation, then a dummy value may bewritten back to the register instead of the value returned from thefourth stage of execution. Information about the attempted execution maybe provided to a handler of the triggered event based on the attemptedexecution to help determine whether the attempt is malicious.

Each resource 1004 of PRCS 1000 may have multiple entries correspondingto combinations of the access of the resource 1004 with another 1004.Such combination of accesses may include a two-step or more process tobe trapped. For example, entries 1014 may include separate entries fora) the access of a memory location corresponding to an interruptdescriptor table (“IDT”) in combination with an access of controlregisters, and b) the access of a memory location corresponding to aninterrupt descriptor table in combination with an access of generalpurpose registers. Furthermore, in FIG. 9 such separate entries may behandled by separate portions of system 900. For example, specific in-O/Strapping agents 919 may handle gathering contextual information fortrapped IDT-general register access, while other in-O/S trapping agents919 may handle gathering contextual information for trapped IDT-controlregister access.

Returning to FIG. 9, below-O/S trapping agent 920 may be configured toset flags or add entries in PRCS 926. Below-O/S trapping agent 920 maybe configured to access one or more security rules such as securityrules 908 to determine such flags or entries. In one embodiment,below-O/S trapping agent 920 may be configured to receive instructionsto set such flags or entries from triggered event handler 922, which maycall below-O/S trapping agent 920 after consulting security rules 908 orprotection server 202. A set of specific privileged routines may beprovided by processor 902 and/or below-O/S trapping agent 920 forsetting flags or adding entries to PRCS 926.

If electronic device 901 includes more than one processor, each suchprocessor may have a corresponding PRCS 926. In one embodiment, system900 may include a below-O/S trapping agent 920 for each such PRCS 926.In another embodiment, below-O/S trapping agent 920 may be configured totrap resources represented in each such PRCS 926.

If system 900 supports virtualization, then PRCS 926 itself may bevirtualized. The contents of a virtualized PRCS 926 may be limited tothose resources which are virtualized by the corresponding processor902. Such a virtualized PRCS 926 may be included in a virtual machinemonitor. In such a case, below-O/S trapping agent 920 or triggered eventhandler 922 may be configured to control PRCS 926 in such a virtualmachine monitor. In another embodiment, below-O/S trapping agent 920 maybe configured to trap resources represented in each such PRCS 926.Furthermore, entries 1014 may be created in and trigger flags 1002 setin each such virtualized PRCS 926, on a per-PRCS or per-virtualizedprocessor basis.

Below-O/S trapping agent 920 may be configured to send a triggered eventresulting from a trapped attempt or communication to triggered eventhandler 922. Triggered event handler 922 may be configured to performany suitable subsequent action based on the information of the triggeredevent and one or more security rules 908. For example, triggered eventhandler 922 may be configured to allow execution of an attemptedinstruction, but require notification of the results after execution. Inanother example, triggered event handler 922 may be configured to skipthe execution of a command or communication altogether. Such an examplemay be applied if no return value is required. In yet another example,execution may be transferred to a new location by, for example, by usinga “JMP” instruction to send execution to the address of a repairroutine.

In operation, below-O/S trapping agent 920 and triggered event handler922 may be operating on electronic device 901. Below-O/S trapping agent920 may be operating below the level of the operating systems ofelectronic device 901. Furthermore, triggered event handler 922 may alsobe operating below the level of the operating systems of electronicdevice 901. Triggered event handler 922 may consult security rules 908or protection server 202 to determine what flags 1002 or entries 1014 toset in PRCS 926. Triggered event handler 922 may instruct below-O/Strapping agent 920 what flags 1002 or entries 1014 to set in PRCS 926.Depending upon various conditions detected, such as applications 910 inuse, other indications of malware detected, previously triggered events,or administrator settings for electronic device 901, below-O/S trappingagent 920 and triggered event handler 922 may change the trigger flags1002 or add new entries 1014 in PRCS 926 dynamically during theoperation of electronic device 901. Information to base such dynamicchanges may come from, for example, below-O/S trapping agent 920 orin-O/S agent 919. Entries 1014 in PRCS 926 may be identified accordingto the resource 1004 or resource type 1006. The trigger type 1008 may beset to configure a subsequent trapped event to be synchronous orasynchronous. When-to-trigger conditions 1010 may be set to configureunder what circumstances an intercepted request will generate atriggered event, as may execution stage to trigger 1012.

Entries in PRCS 926 may be dynamically enabled or disabled, dependingupon various conditions encountered by system 900. For example,below-O/S trapping agent 920 may disable a trapping operation that isexpensive because the attempted access that is trapped occurs frequentlywith many false-positives, until such a time that triggered eventhandler 922 receives an indication that the electronic device 901 isunder a malware attack. Then, below-O/S trapping agent 920 may enablethe trapping operation. In one embodiment, under such conditionsextensive trapping on one or more processor resources 924 may be enabledto prevent unknown malware actions from harming electronic device 901further. Such extensive trapping may extend to essentially shutting downthe entire execution environment of a processor, virtualized processor,thread, process or application.

A request for a processor resource 924 may arise from an entity at thelevel of operating systems in system 900, such as from application 910,driver 911, or operating system 913. The request may be passed throughto processor resources 924 but intercepted by below-O/S trapping agent920. Furthermore, information or communication may be generated from theprocessor through various processor resources 924. The information orcommunication may be intercepted by below-O/S trapping agent 920.

Below-O/S trapping agent 920 may use PRCS 926 to trap an access of aresource if the information or communication matches any when-to-trigger1010 fields of entries 1014 in PRCS 926, and subsequently generate atriggered event. Entries 1014 which have been enabled by trigger flags1002 being set to “ON” may be matched to the attempted access orinformation or communication. The resource to be accessed may becompared to the resource field 1004 and/or resource type field 1006. Ifthe resource to be accessed matches such fields, then when-to-triggerconditions 1010 may be evaluated. If the when-to-trigger conditions 1010match system information or information about the request, then PRCS 926may generate a triggered event. Execution stage to trigger 1012 may beused to determine when to generate the triggered event. For example, thetriggered event may be created before an instruction fetch, after aninstruction fetch, after execution, after memory is accessed for asubsequent write, or after another resource such as a register isaccessed for a write back. Furthermore, a triggered event may begenerated for an attempted communication or generation of informationsuch as an interprocessor interrupt like “Interrupt_Sleep” before orafter the interrupt is sent or written to an interrupt table. Agenerated triggered event may be synchronous or asynchronous, dependingupon trigger type 1008. Below-O/S trapping agent 920 may halt executionof the attempted access of the resource or generation of thecommunication if a synchronous triggered event is generated, pendinghandling of the event. Below-O/S trapping agent 920 may allow executionof the attempted access of the resource or generation of thecommunication if an asynchronous triggered event is generated. Below-O/Strapping agent 920 may add additional context information about theattempt into the triggered event, such as the memory address from whichthe attempt originated, where results were to be written, or any othersuitable information.

Below-O/S trapping agent 920 may include information related to thetriggered event for the purposes of deciding whether the triggered eventis suspicious. For example, below-O/S trapping agent 920 may determineinformation such as determining from what portion of memory theattempted access was made. The portion of memory may be correlated bytriggered event handler 922 against known processes, applications, orprograms running on electronic device 903. If the attempted access arosefrom an unknown or unauthorized process, application or program, thenthe attempt may be suspicious. Triggered event handler 922 may useinformation from in-O/S security agent 919 to determine such acorrelation. In another example, below-O/S trapping agent 920 mayprovide information regarding previously triggered events, such as thoserecorded in a state machine. Such previously triggered events that arerelated to the presently triggered events may provide contextualinformation about whether the attempts are suspicious.

Below-O/S trapping agent 920 may pass the triggered event to triggeredevent handler 922, which may handle the event by evaluating informationin the triggered event and/or contextual information from in-O/S agent919 according to security rules 908. A resulting appropriate action maybe determined and sent back to below-O/S trapping agent 920 to apply tothe trapped attempt. Such an action may include allowing the attempt,denying execution of an instruction, or substituting different data orinstructions to circumvent operation of malware.

Below-O/S trapping agent 920 may store triggered events for subsequentreference in trapping future attempted access. For example, a maliciousoperation may require multiple instructions to be executed by processorresources 924. Thus, each step of such malicious behavior may bereflected in a separate entry 1014 in PRCS 926. Below-O/S trapping agent920 may trap a first step of a malicious operation, which by itself maynot be malicious but only when in combination with subsequent steps. Insuch a case, the entry 1014 for such a step may be set to triggerasynchronously, as the condition is merely recorded into a state machineso that below-O/S trapping agent 920 or PRCS 926 may be aware ofpreviously handled attempts. The trapping of a second step of amalicious operation may have as a when-to-trigger condition 1010 thetrapping of the first step.

FIG. 11 is an example embodiment of a method 1100 for regulatingsoftware access to security sensitive processor resources of anelectronic device. In step 1105, security rules may be accessed todetermine in step 1110 what processor resources or processorcommunications are to be secured. A trapping agent operating below thelevel of operating systems in the electronic device may determine whatresources and communications to trap. Such a trapping agent may operatein, for example, a virtual machine monitor, firmware, or microcode of aprocessor.

In step 1115, entries corresponding to the resources or communicationsto be trapped may be written to a processor resource control structure,which may be configured to trap the operation, access, or other use ofdesignated resources or communications under specified conditions. Theentries in the PRCS may be written with identifications of the resource,the resource type, the conditions under which an event will betriggered, whether the trigger would be asynchronous or synchronous, andin/at what, if any, execution stage the attempted access orcommunication should yield a triggered event. In step 1120, entries inthe PRCS may also be written with a trigger or enablement flag whichindicates whether or not the entry is activated for trapping or not. Ifthe trigger flag is not set, then the entry may be dormant and not beused to trap attempted accesses of resources.

In step 1125, access to resources or generation of communications may bemonitored. Such a monitoring may take place through the PRCS. Entitiesin the electronic device may try to attempt to generate processorcommunications or attempt to access a processor resource. Such attemptsto access a resource may originate from the level of operating systemsof the electronic device. If an instruction, command, or other attemptto access the resource matches a resource identifier of an entry in thePRCS wherein the entry has been activated, then the attempt may betrapped. Similarly, if a processor communication is generated thatmatches a resource identifier of an entry in the PRCS wherein the entryhas been activated, then the attempt may be trapped. In one embodiment,the attempt to access a resource or generate communication may betrapped if the additional criteria specifying when to trigger are met.For example, an attempted write of a control register may be trappedwhen the control register is ever written. In another example, anattempted write of a control register may be trapped when the controlregister is written with a specific value.

In step 1130, it may be determined whether an attempted access orcommunication was trapped. If no attempt has been trapped, then in step1140 it may be determined whether entries in PRCS need to be adjusted.Such an adjustment may include enabling or disabling such entries,adding new entries, or adjusting criteria or settings of entries. Method1100 may then return to step 1125. Such adjustment could be based on,for example, new malware threats detected in the electronic device,passage of time, previously trapped attempts, or an administrator'ssettings.

In step 1145, if an attempt has been trapped, it may be determinedwhether a resulting triggered event should be synchronous orasynchronous. If the trigger type is not synchronous, then method 1100may return to step 1125 in parallel with proceeding to step 1150. If thetrigger type is synchronous, then in step 1150 information about thetrapped attempt may be stored. Such information may be used, forexample, by a state machine in a future determination of whether atrapped attempt should yield a triggered event. In step 1155, it may bedetermined whether all conditions of the trigger are met. Suchconditions may require, for example, certain values to be written to theresource, or the request originate (or not originate) from particularlocations in memory. Furthermore, such conditions may require that otherattempts were previously trapped. Information about such attempts may beaccessed and stored in a state machine. If all conditions of triggeringare not met, then method 1100 may return to step 1125.

If all conditions of triggering are met, then in step 1155 it may bedetermined in which, if any, specific stage of execution should thetriggered event be generated. Such stages may include, for example,before an instruction in the attempt is fetched, after the instructionis fetched, after the instruction is executed, after memory is accessedto read a result, or after a value is written back. Furthermore, suchstages may include before or after an interprocessor interrupt isexecuted. Once the designated execution stage is accomplished, atriggered event for the attempt may be generated in step 1165.Contextual information, such as source or destination address of theattempt, or the resources involved may be included with the triggeredevent in step 1170 for delivery to a handler in step 1175.

In step 1180, security rules may be consulted to determine in step 1185whether the triggered event is suspicious, not permitted byadministrator settings, or indicative of malware. Contextualinformation, such as that of the triggered event, other events in theoperating system of the electronic device, or administrator settings maybe used to evaluate the application of the security rules to thetriggered event. If the triggered event is not suspicious, then in step1187 the trapping agent may be notified and method 1100 may return tostep 1125. If the triggered event is suspicious, then in step 1190 aresulting corrective action may be sent to the trapping agent. Such acorrective action may depend upon the specific attempt to accessresources or generate processor communication. For example, a maliciousinstruction may have a value to be read or written spoofed, or a jumpinstruction may be redirected to a repair routine. In step 1195, thecorrective action may be applied. The method 1100 may return to step1125.

FIG. 12 is an example embodiment of a system 1200 for regulatingsoftware access for securing memory using below-operating systemtrapping on an electronic device 1201. System 1200 may include abelow-O/S security agent 1220 configured to operate on electronic device1201 to detect malicious attempts to access memory from software-basedentities running in operating systems of electronic device 1201, such asoperating system 1213. Furthermore, below-O/S security agent 1220 may beconfigured to use one or more security rules 1208 and a memory map 1206to determine what attempted accesses of memory to trap and how to handlea triggered event created corresponding to the trapped operation.Below-O/S security agent 1220 may be configured to allow, deny, or takeother corrective action for the triggered event.

Electronic device 1201 may be implemented wholly or in part by orconfigured to implement the functionality of the electronic device 103of FIG. 1, electronic device 204 of FIG. 2, electronic device 404 ofFIG. 4, electronic device 701 of FIG. 7, electronic device 901 of FIG.9, and/or any combination thereof. Electronic device 1201 may includeone or more processors 1202 coupled to a memory such as physical memory1203. Processor 1202 may be implemented wholly or in part by orconfigured to implement the functionality of processor 208 of FIG. 2,processor 408 of FIG. 4, processor 702 of FIG. 7, processor 902 of FIG.9, or any combination thereof. Physical memory 1203 may be implementedwholly or in part by or configured to implement the functionality ofmemory 206 of FIG. 2, memory 406 of FIG. 4, memory 703 of FIG. 7, memory903 of FIG. 9, and/or any combination thereof. Electronic device 1201may include an operating system 1213, which may include an in-O/Ssecurity agent 1219 coupled to one or more security rules 1221.Operating system 1213 may be implemented wholly or in part by orconfigured to implement the functionality of operating systems 112 ofFIG. 1, operating system 212 of FIG. 2, operating system 412 of FIG. 4,operating system 713 of FIG. 7, operating system 913 of FIG. 9, and/orany combination thereof. In-O/S security agent 1219 may be implementedwholly or in part by or configured to implement the functionality ofin-O/S security agent 218 of FIG. 1, in-O/S security agent 418 of FIG.4, and/or in-O/S security agent 719 of FIG. 7, in-O/S security agent 919of FIG. 9, or any suitable combination thereof.

Below-O/S security agent 1220 may be implemented by or configured toimplement the functionality of below-O/S trapping agent 104 or triggeredevent handler 108 of FIG. 1, SVMM 216 or SVMM security agent 217 of FIG.2, firmware security agents 440, 442, below-O/S agent 450, or PCfirmware security agent 444 of FIG. 4, firmware security agent 516 ofFIG. 5, or microcode security agent 708 or below-O/S agent 712 of FIG.7, below-O/S trapping agent 920 or triggered event handler 922 of FIG.9, and/or any combination thereof.

Security rules 1208 may be implemented by or configured to implement thefunctionality of security rules 114 of FIG. 1, security rules 222 ofFIG. 2, security rules 434, 436, 438 of FIG. 4, security rules 518 ofFIG. 5, security rules 707, 723 of FIG. 7, security rules 908 of FIG. 9,and/or any combination thereof. Security rules 1221 may be implementedby or configured to implement the functionality of security rules 220 ofFIG. 2, security rules 420 of FIG. 4, security rules 721 of FIG. 7,security rules 921 of FIG. 9, and/or any combination thereof.

Below-O/S security 1220 may be configured to intercept access to memoryof electronic device 1201. Such memory may include, for example,attempted access of addresses of physical memory 1203 or attemptedaccess of pages of virtualized memory 1204. Such an attempted access mayoriginate from operating system 1213 or entities utilizing operatingsystem 1213 to run on electronic device 1201, such as application 1210or driver 1211.

In one embodiment, memory secured by below-O/S security 1220 may includevirtualized memory 1204. Virtualized memory 1204 may include memoryavailable to entities, such as operating system 1213, application 1210,or driver 1211, that have been abstracted from physical memory and/orstorage. Virtualized memory 1204 may appear as a contiguous block ofmemory to entities such as operating system 1213, application 1210, ordriver 1211, although the actual spaces used may be spread disparatelyacross actual physical memory, such as physical memory 1203, and/or instorage such as on a disk. Virtualized memory 1204 may be virtualizedaccording to extensions of processor 1202. The address space ofvirtualized memory 1204 may be divided into memory pages. The memorypages may be each of equal size, such as four kilobytes. Electronicdevice 1201 may be configured to use page tables to translate thevirtual addresses of virtualized memory 1204 into physical addresses ofmemory such as physical memory 1203 or addresses of storage. Electronicdevice 1201 may include a memory management unit 1214 (“MMU”) configuredto translate virtual addresses of virtual memory 1204 into physicaladdresses of memory such as physical memory 1203 and/or into addressesof a storage. The pages of virtual memory 1204 may be indexed. Anattempted access of virtual memory 1204 pages may include an attemptedread, write, or execution of the page, and below-O/S security agent 1220may be configured to trap the attempt. In one embodiment, a page ofvirtual memory 1204 may correspond to a physical memory address or anaddress of a storage. In another embodiment, each page of virtual memory1204 may correspond to a physical memory address. In yet anotherembodiment, pages containing certain contents such as specific portionsof operating system 1213 may be pinned and may not change during theoperation of electronic device 1201.

In another embodiment, memory secured by below-O/S security agent 1220may include physical memory 1203. Physical memory 1203 may be accessedthrough addresses of the physical memory, as shown by markers (A), (B),(C), (D), (E), (F), (G), (H), (I), (J), and (K), which denote specificaddresses in physical memory 1203 that may be the base address of amemory range containing a defined element. Physical memory 1203 may beaccessed through an attempted read, write, or execution of a specificmemory address, and below-O/S security agent 1220 may be configured totrap the attempt. For example, an attempted write may take the form ofan instruction “MOV Addr1, Value” wherein a value represented by thevariable “Value” is written to a specific memory address represented by“Addr1.” Any instruction writing to a physical memory 1203 address maybe used. An attempted read may take the form of an instruction such as“MOV Value, Addr1” wherein a value represented by the variable “Value”is read from a specific memory address represented by “Addr1.” Anyinstruction reading from a physical memory 1203 address may be used. Anattempted execution may take the form of an instruction loading aninstruction pointer register such as “EIP” with a physical memory 1203address, such as “MOV EIP, Addr1.” Such an instruction may be configuredto execute the code beginning at the address represented by “Addr1.” Anyinstruction for executing an address in memory may be used.

Below-O/S security agent 1220 may be configured to intercept attemptedaccess to virtual memory 1204. Furthermore, below-O/S security agent1220 may be configured to intercept attempted access to physical memory1203. In one embodiment, a request for virtual memory 1204 may not beintercepted, but a subsequent corresponding attempted access of physicalmemory 1203 after MMU has translated the virtual memory 1204 page to aphysical memory 1203 address, below-O/S security agent 1220 may beconfigured to intercept the attempted access to physical memory. Inanother embodiment, an attempted access may be made directly of physicalmemory 1203 without being translated through virtual memory 1204, andbelow-O/S security agent 1220 may be configured to intercept theattempted access. In still yet another embodiment, an attempted accessmade to virtual memory 1204 may be intercepted, but below-O/S securityagent 1220 may not be configured to intercept a subsequent access of aphysical memory 1203 address.

Below-O/S security agent 1220 may be communicatively coupled to in-O/Ssecurity agent 1219. Below-O/S security agent 1220 may be configured toreceive contextual information about an attempted access of memory ofelectronic device 1201 from in-O/S security agent 1219. The contextualinformation provided by in-O/S security agent 1219 may include theidentity of entities that have attempted a particular access of memoryof electronic device 1201.

Below-O/S security agent 1220 may be communicatively coupled to orinclude a memory map 1206. Memory map 1206 may be implemented in a file,record, data structure, or other suitable entity. Memory map 1206 mayinclude information regarding the location of various entities ofelectronic device 1201 in memory. For example, if a process is loaded inmemory of electronic device 1201 for execution, memory map 1206 mayinclude information regarding which memory pages in virtualized memory1204 or address ranges in physical memory 1203 contain the process.Depending upon the implementation of virtualization of memory inelectronic device 1201, all of the contents of the process may or maynot be loaded in physical memory 1203, as some contents may be loaded instorage such as a disk. For such contents to be accessed, they may beloaded into physical memory 1203. In such a case, memory map 1206 maycontain information about addresses where the contents are stored,whether in physical memory 1203 or in a storage such as a disk.Below-O/S security agent 1220 may be configured to use memory map 1206to determine the identity or the owner of any given content in a virtualmemory 1204 page or a physical memory 1203 address. Below-O/S securityagent 1220 may build memory map 1206 by, for example, profiling theoperation of the operating system 1213, and then determining where inmemory various sensitive components are located. As attempts to accessmemory are made—such as loading the operating system 1213 kernel, orexecuting kernel mode instructions—below-O/S security agent 1220 may beconfigured to communicate with in-O/S security agent 1219 to determinewhat portion of operating system 1213 is loading or being executed. Inanother example, below-O/S security agent 1220 may be configured todetermine a hash or digital signature of the contents of a memory rangeof such a virtual memory 1204 page. The hash or digital signature may becompared against known values, which may be contained in security rules1208 or obtained from protection server 202. The known values may be theresult of a previous characterization, in which portions of, forexample, operating system 1213 have been identified. Elements to bemapped may be determined by security rules 1208. Below-O/S securityagent 1220 may be configured to track the movement of elements in memorymap 1206 as the elements are copied from one place to another in thememory of electronic device 1201.

FIG. 13 is an illustration of example embodiments of memory maps. In oneembodiment, virtual memory map 1302 may include a mapping of elements tobe tracked through their position in virtual memory. In anotherembodiment, physical memory map 1304 may include a mapping of elementsto be tracked through their position in physical memory. In variousembodiments, virtual memory map 1302 and physical memory map 1304 may bemapped together so that an element may be tracked in both mappings.

Virtual memory map 1302 may reflect ten different virtual memory pages.Virtual memory map 1302 may illustrate, for example, that a kerneloperating system data structure such a page directory may be found inmemory page 1 and memory page 2. In another example, the elements of aparticular process, function, or routine called “Fn1,” may be found inmemory pages 4-6. In yet another example, data structures forpermissions for a system service dispatch table (“SSDT”) may be found inpage 8. In still yet another example, elements of a particular process,function or routine called “Fn2” may be found in memory page 8 andmemory page 9.

Physical memory map 1304 may reflect the location of elements withphysical memory. Portions of elements in physical memory may be spreadacross the memory in non-contiguous segments or blocks. Furthermore,portions of elements in physical memory may be spread across the memoryin arbitrary order. The size of each segment may vary in size. Thesegment may begin at an address at an offset from the base address. Theexample base address shown in FIG. 13 is 00x000, terminating at addressFFxFFF. Addresses denoting the start of various segments of the physicalmemory are denoted (A)-(O). For elements that are contained withinmultiple segments of the physical memory, the order of the elements maybe noted. In physical memory multiple segments of an element may belinked together by pointers where the end of one segment of an elementmay point to the next segment of the element.

For example, Fn1 may be mapped to the segments between (A) and (B), (J)and (K), and (M) and (N). In another example, SSDT permissions may bemapped to the segment between (G) and (H). In yet another example, thepage directory data structure may be mapped to the segments between (O)and FFxFFF, (F) and (G), and (I) and (J). In still yet another example,Fn2 may be mapped to the segments between (H) and (I), and (B) and (C).

Returning to FIG. 12, below-O/S security agent 1220 may be configured toconsult security rules 1208 to determine what portions of memory toprotect, and how to protect them. For example, security rules 1208 maybe configured to indicate that the page directory data structure mayonly be written to by certain privileged entities of electronic device1201. Thus, attempts to write to the page directory data structure maybe trapped, and elements attempting the write may be examined todetermine whether they are safe, unknown, or known to be unsafe.Below-O/S security agent 1220 may be configured to consult memory map1206 to determine where the page directory data structure is located inmemory. If below-O/S security agent 1220 is implemented, for example,fully or in part in a virtual machine monitor, below-O/S security agent1220 may be configured to set a flag in a control structure to trap anyattempted write to memory pages 1 and/or 2 of virtual memory 1204. Ifbelow-O/S security agent 1220 is implemented, in another example, fullyor in part in microcode, below-O/S security agent 1220 may be configuredto set a flag in a control structure to trap any attempted write tomemory addresses within the address ranges between addresses (O) andFFxFFF, (F) and (G), and (I) and (J) of physical memory 1203.

In another example, security rules 1208 may be configured to indicatethat Fn1 may only be called by certain privileged entities of electronicdevice. Thus, attempts to execute Fn1 may be trapped, and elementscalling Fn1 may be examined to determine whether they are safe, unknown,or known to be unsafe. Below-O/S security agent 1220 may be configuredto consult memory map 1206 to determine where Fn1 resides in memory. Ifbelow-O/S security agent 1220 is implemented, for example, fully or inpart in a virtual machine monitor, below-O/S security agent 1220 may beconfigured to set a flag in a control structure to trap an attemptedexecution of memory pages 4, 5, and/or 6 of virtual memory 1204. Ifbelow-O/S security agent 1220 is implemented, in another example, fullyor in part in microcode, below-O/S security agent 1220 may be configuredto set a flag in a control structure to trap any attempted execution ofmemory address (A) of physical memory 1203. In some cases, whereindifferent portions of Fn1 may be separately executed, below-O/S securityagent 1220 may be configured to trap attempted execution of any memoryaddress within the ranges between (A) and (B), (M) and (N), theaddresses (O) and FFxFFF, (F) and (G), (J) and (K), or (I) and (J) ofphysical memory 1203.

In one embodiment, below-O/S security agent 1220 may be configured toconsult in-O/S security agent 1219 to determine what entity has made thecall to write to memory, which is then used to determine whether theentity is authorized or not to make the write. In another embodiment,below-O/S security agent 1220 may be configured to determine the memorypage of virtualized memory 1204 from which the request came and consultmemory map 1206 to determine whether such a memory page is associatedwith any elements mapped therein. In yet another embodiment, below-O/Ssecurity agent 1220 may be configured to determine a hash or signatureof a memory page of the requesting element and compare it against hashesand signatures of known entities.

If below-O/S security agent 1220 is implemented fully or in part bymicrocode, below-O/S security agent 1220 may be configured to determinethe address of the instruction which attempted the write. In oneembodiment, below-O/S security agent 1220 may be configured to make sucha determination by examining an instruction pointer to determine wherein physical memory 1203 the instruction was made. In another embodiment,by accessing memory map 1206, below-O/S security agent 1220 may beconfigured to determine an element from the memory map 1206 associatedwith the address. In yet another embodiment, below-O/S security agent1220 may be configured to determine a hash or signature of therequesting element and compare it against hashes and signatures of knownentities.

Once an attempted access of memory has been trapped, below-O/S securityagent 1220 may be configured to access security rules 1208 to determinehow to handle the trapped attempt based on the identified requestingentity. Security rules 1208 may define that, for example, only certainspecified kernel portions of operating system 1213 may call and executeFn1 or that only entities that are known to be safe and on a whitelistmay write to the permissions of the SSDT. Below-O/S security agent 1220may then be configured to take any appropriate action, such as allowingthe request to proceed, denying the request, spoofing a response orwritten value, or executing a corrective process.

In operation, below-O/S security agent 1220 may be running below thelevel of operating systems of electronic device 1201 such as operatingsystem 1213. Below-O/S security agent 1220 may access security rules1208 to determine what memory resources of electronic device 1201 toprotect. Below-O/S security agent 1220 may determine, develop, and/orpopulate the contents of memory map 1206. To do so, below-O/S securityagent 1220 may access security rules 1208, protection server 202, or anyother suitable source of information for populating information inmemory map 1206. Below-O/S security agent 1220 may intercept requests ofphysical memory 1203 or virtual memory 1204 from entities at theoperating system level, such as operating system 1213, application 1210,or driver 1211, to map the ownership and contents of memory in memorymap 1206. Below-O/S security agent 1220 may access in-O/S security agent1219 to determine what entities are being loaded into memory so thatmemory map 1206 may be populated. Memory map 1206 may contain memorymapping for physical memory 1203, virtual memory 1204, and/or mappingsbetween the two.

Below-O/S security agent 1220 may consult security rules 1208 todetermine what portions of virtual memory 1204 and/or physical memory1203 to protect. Security rules 1208 may specify that some portions ofmemory are to be secured on a dynamic basis, wherein protection for thememory may be enabled or disabled by below-O/S security agent 1220depending upon a variety of considerations. Such considerations mayinclude, for example, administrator settings, detection of malicious orsuspicious behavior, time, previously detected accesses of memory, orany other suitable criteria. If protecting memory of electronic device1201 is expensive in terms of computational resources, such dynamicenabling and disabling may allow below-O/S security agent 1220 to bettersecure critical portions of the memory of electronic device 1201 whilelessening side affects on the ability of electronic device 1201 to carryout other tasks. For example, memory containing the contents of thekernel code of operating system 1213 may always be protected bybelow-O/S security agent 1220, while the memory containing the contentsof the code of a third-party application 1210 may be protected only uponother indications that malware is present or may affect the third-partyapplication 1210.

Below-O/S security agent 1220 may set a flag in a control structure totrap attempted access of physical memory 1203 and/or virtual memory1204. In one embodiment, as a request is made from an entity inoperating system 1213 for a memory page in virtual memory 1204designated to be trapped, below-O/S security agent 1220 may interceptthe attempted request. In another embodiment, as a request is made for amemory page in virtual memory 1204, below-O/S security agent may allowthe request to be translated by MMU 1214 into a request for an addressin physical memory 1203, whereupon below-O/S security agent mayintercept the attempted request. In yet another embodiment, as a requestfrom an entity in operating system 1213 may be made for an address inphysical memory 1203 directly, below-O/S security agent 1220 mayintercept the attempted request.

Once a request has been intercepted, below-O/S security agent 1220 mayuse any suitable mechanism to evaluate the intercepted request ofmemory. Security rules 1208 may be used to determine whether the attemptis suspicious, indicating a malicious attempt by malware to use theresources of electronic device 1201. Security rules 1208 may includeconsiderations of, for example, whether a read, write, or execution wasattempted; what entity made the attempt; the memory address or page thatwas accessed; previous attempts or actions by the same requestor;security settings by an administrator of electronic device 1201, such asrules that are more or less restrictive based upon the user ofelectronic device 1201; or the identity of the requestor, as determinedby memory location and/or digital signature or hash, or upon relatedpages or memory addresses.

For example, an attempted write of the page directory data structure inpage 2 of virtual memory 1204 or at address (J) of physical memory 1203may be intercepted by below-O/S security agent 1220. If the write hascome from a portion of memory of a process that is unknown, the writemay be determined to be suspicious by below-O/S security agent 1220.However, if the attempted write has come from a known, verified part ofthe operating system 1213 kernel, then the attempt may be determined tonot be suspicious. Likewise, an attempted execution of Fn2 at page 8 ofvirtual memory 1204 or at address (H) of physical memory 1203 may beintercepted. If the attempted execution was made from a user input, thenthe execution may be determined to not be suspicious. If the attemptedexecution was made from the memory of another program, and the programis not on an approved list, then the attempt may be determined to besuspicious or malicious.

In another example, if Fn1 is a web browser that normally exposes itscache to other applications for purposes of interoperability, below-O/Ssecurity agent 1220 may allow a specified portion of the memory pages ormemory addresses of Fn1 to be read by other applications. However, ifFn1 contains metadata or other information that should be kept private,then below-O/S security agent 1220 may secure those portions of thememory pages or memory addresses of Fn1 from being read from any processother than Fn1 itself.

Once a program has been determined to be suspicious, malicious, orotherwise indicative of malware, then below-O/S security agent 1220 maytake any suitable corrective action. Below-O/S security agent 1220 may,for example, deny a write request to memory page 2 of virtual memory1204 or address (J) of physical memory 1203, yet return a resultindicating that the value was written. The process generating therequest may be monitored for additional attempts to access the resourcesof electronic device 1201, may be stopped, or may be cleaned fromelectronic device 1201. In another example, the attempted execution ofpage 8 of virtual memory 1204 or address (H) of physical memory 1203 mayinstead be directed to the execution of a honeypot process or a cleanupprocess.

The contents of the memory which are secured by below-O/S security agent1220 may include data, code, or any other useful system resources whichmay be attacked by malware. Below-O/S security agent 1220 may protectthe contents of memory against malware attempting to, for example, read,write, or hook mechanisms showing the processes running on electronicdevice 1201, inject its code into portions of applications loaded inmemory, or change permission and access flags of mapping tables forvirtual memory 1204. By operating below the level of operating system1213, below-O/S security agent 1220 may avoid malware running at thekernel mode level in operating system 1213. Below-O/S security agent1220 may accomplish zero-day detection, as in some cases it may not needknowledge that the identity of a requesting entity has been previouslydetermined to be malicious—the fact that the entity is unknown may beused to deny access to some parts of the memory of electronic device1201. If the operating system 1213 or antivirus or antimalware measuresrunning in the operating system 1213 are completely compromised, thememory may be completely locked from entities running at the level ofthe operating system.

One application of below-O/S security agent 1220 may be to detect anattempted access of the contents of virtual memory 1204 even before aread, write, or execute of the specific contents is attempted bydetecting a change to the permissions of the particular memory page. Thememory tables used by MMU 1214 may be resident in memory, in a page ofvirtual memory 1204 itself, and/or address of physical memory 1203. Anattempt to change the values of the memory table, for example, to changethe permissions of a code section of a process from “read” to “write,”may itself be trapped by below-O/S security agent 1220. The memory pageof virtual memory 1204 or the address of physical memory 1203 may besecured by below-O/S security agent 1220, and upon a trapped attempt towrite a new value to the permissions in such a location, below-O/Ssecurity agent 1220 may determine whether the requestor of the attemptis allowed to make such changes. For example, if the request to changethe permissions of a code section of a process arose from a differentprocess, the attempted change in permissions may be denied.

FIG. 14 is an example embodiment of a method 1400 for securing memoryusing below-operating system trapping of attempted access of anelectronic device. In step 1405, the virtual or physical memory of theelectronic device may be mapped to determine the identity or owner ofthe contents of memory. In order to map the memory, for example, aprotection server may be accessed; reads, writes, and execution ofmemory may be tracked; and/or contents of memory scanned and signaturesgenerated for the contents.

In step 1410, security rules may be accessed to determine in step 1415addresses of physical memory or pages of virtual memory to be secured.The memory to be secured may depend, for example, upon the securityrules, the user of the electronic device, other observed behavior inelectronic device such as indications of malware, previous attempts toaccess secured memory, or administrator settings. The memory to besecured may change dynamically, as conditions of the operation of theelectronic device may change. The security rules may specify entities ofelectronic device to be protected, and the location in physical orvirtual memory of the entities may be determined by accessing the memorymap.

In step 1420, flags may be set in a control structure to trap attemptedaccess of memory according to the requirements of the security rules.Such flags may be set for pages of virtual memory and/or addresses ofphysical memory. Flags may contain an indication of the memory that isto be secured, as well as the kind of access method (for example—read,write, or execute) that is to be flagged. In step 1425, access to thesecured memory may be monitored to see if an attempted access of thedesignated type has been made to a designated address or page. In step1430, it may be determined whether an attempt to access the memory hasbeen trapped. If not, then in step 1435 it may be determined whetherflags of the memory to be secured require changing. If so, then themethod 1400 may return to step 1410 to access security rules to updatethe flags for guarding access to memory. If not, then the method 1400may return to step 1425 to monitor for attempted access of securedmemory.

If an attempt to access the memory has been trapped, then beginning instep 1440 the trapped attempt may be evaluated. To evaluate the attempt,the memory map may be consulted to determine from where the request wasmade, and identify the requestor. The values of data to be written maybe determined and evaluated for their contents. The nature of theattempt—read, write, or execute—may be considered. These exampleconsiderations may be used in conjunction with the security rules todetermine whether or not the attempted access is indicative of malwarein step 1445. If the attempted access is indicative of malware, then instep 1450, corrective action may be taken. Such corrective action mayinclude denying the requested access, returning a spoofed value, orinitiating a honeybot or corrective process. If the attempted access innot indicative of malware, then in step 1455 the request may be allowed.Method 1400 may return to step 1425 as required to continue securing thememory of the electronic device.

FIG. 15 is an example embodiment of a system 1500 for below-operatingsystem trapping and securing loading of code into memory. System 1500may include a below-O/S security agent 1520 configured to operate onelectronic device 1501 to trap attempts to load code into a memory suchas memory 1503. In one embodiment, below-O/S security agent 1520 may beconfigured to trap attempts to load kernel mode code into memory 1503.Furthermore, below-O/S security agent 1520 may be configured to use oneor more security rules 1508 to determine what resources of electronicdevice 1501 to secure to trap attempts to load kernel mode code intomemory 1503 and whether such attempts are authorized based on theattempt and the entities involved in conducting the attempt. Below-O/Ssecurity agent 1520 may be configured to allow or deny the attempt ortake other corrective action.

Electronic device 1501 may be implemented wholly or in part by orconfigured to implement the functionality of the electronic device 103of FIG. 1, electronic device 204 of FIG. 2, electronic device 404 ofFIG. 4, electronic device 701 of FIG. 7, electronic device 901 of FIG.9, electronic device 1201 of FIG. 12, and/or any combination thereof.Electronic device 1501 may include one or more processors 1502 coupledto a memory such as memory 1503. Processor 1502 may be implementedwholly or in part by or configured to implement the functionality ofprocessor 208 of FIG. 2, processor 408 of FIG. 4, processor 702 of FIG.7, processor 1202 of FIG. 9, processor 1202 of FIG. 12, and/or anycombination thereof. Memory 1503 may be implemented wholly or in part byor configured to implement the functionality of memory 206 of FIG. 2,memory 406 of FIG. 4, memory 703 of FIG. 7, memory 903 of FIG. 9,physical memory 1203 or virtual memory 1204 of FIG. 12, and/or anycombination thereof. Electronic device 1501 may include an operatingsystem 1512, which may include or be communicatively coupled to anin-O/S security agent 1519 coupled to one or more security rules 1521.In-O/S security agent 1519 may be communicatively coupled to below-O/Ssecurity agent 1520. Operating system 1512 may be implemented wholly orin part by or configured to implement the functionality of operatingsystems 112 of FIG. 1, operating system 212 of FIG. 2, operating system412 of FIG. 4, operating system 713 of FIG. 7, operating system 913 ofFIG. 9, operating system 1213 of FIG. 12, and/or any combinationthereof. In-O/S security agent 1519 may be implemented wholly or in partby or configured to implement the functionality of in-O/S security agent218 of FIG. 1, in-O/S security agent 418 of FIG. 4, and/or in-O/Ssecurity agent 719 of FIG. 7, in-O/S security agent 919 of FIG. 9,in-O/S security agent 1219 of FIG. 12, or any suitable combinationthereof.

Below-O/S security agent 1520 may be implemented by or configured toimplement the functionality of below-O/S trapping agent 104 or triggeredevent handler 108 of FIG. 1, SVMM 216 or SVMM security agent 217 of FIG.2, firmware security agents 440, 442, below-O/S agent 450, or PCfirmware security agent 444 of FIG. 4, firmware security agent 516 ofFIG. 5, or microcode security agent 708 or below-O/S agent 712 of FIG.7, below-O/S trapping agent 920 or triggered event handler 922 of FIG.9, below-O/S security agent 1220 of FIG. 12, and/or any combinationthereof.

Security rules 1508 may be implemented by or configured to implement thefunctionality of security rules 114 of FIG. 1, security rules 222 ofFIG. 2, security rules 434, 436, 438 of FIG. 4, security rules 518 ofFIG. 5, security rules 707, 723 of FIG. 7, security rules 908 of FIG. 9,security rules 1208 of FIG. 12, and/or any combination thereof. Securityrules 1521 may be implemented by or configured to implement thefunctionality of security rules 220 of FIG. 2, security rules 420 ofFIG. 4, security rules 721 of FIG. 7, security rules 921 of FIG. 9,security rules 1221 of FIG. 12, and/or any combination thereof.

Below-O/S security agent 1520 and/or in-O/S security agent 1519 may becommunicatively coupled to a memory map 1510. Memory map 1510 maycontain a mapping of the locations of the pages or addresses of variousentities of operating system 1512 in memory 1503. Below-O/S securityagent 1520 and/or in-O/S security agent 1519 may be configured to accessmemory map 1510 to determine, for a given memory location or page inmemory 1503, what process, dynamically linked library (“DLL”),application, module or other entity of electronic device 1520 isassociated with the location or page. Below-O/S security agent 1520and/or in-O/S security agent 1519 may be configured to use suchinformation to, for example, determine what portions of memory 1503 totrap, or upon a trapped access of memory 1503 or a trapped execution ofa function, what entity in electronic device 1501 originated theattempt. Furthermore, below-O/S security agent 1520 may use memory map1510 to associate additional trapped attempts to a region of memory 1503as malicious, wherein a previous attempt to load code into memory 1503was determined to be malicious and was associated with the region ofmemory 1503.

Storage 1544 may be communicatively coupled to electronic device 1501 orreside within electronic device 1501. Storage 1544 may include anysuitable medium for mass storage, including a hard disk, flash drive,random access memory (“RAM”) disk, compact disc, DVD media drive, or anyother suitable memory. Storage 1544 may be communicatively coupled toelectronic device 1501 through any suitable interface, such asperipheral component interconnect, serial advanced technologyattachment, universal serial bus, or Firewire.

Electronic device 1501 may include one or more applications, drivers, orother entities—for example, application 1526 or driver 1528—that may tryto access a resource of electronic device 1501 in order to load codeinto memory 1503. Application 1526 or driver 1528 may include anyprocess, application, program, or driver. Application 1526 or driver1528, directly or through calls to other routines, may attempt to loadcode into memory 1503 by, for example, accessing portions of memory 1503or storage 1544 with read, write, or execute instructions. Below-O/Ssecurity agent 1520 may be configured to intercept such attempted callsor accesses, consult security rules 1508 and/or contextual informationfrom in-O/S security agent 1519 to determine whether the attempt isindicative of malware, and take any appropriate corrective action.Below-O/S security agent 1520 may be configured to make suchinterceptions through trapping access to memory 1503 or storage 1544and/or use of processor 1502. Below-O/S security agent 1520 may beconfigured to access security rules 1508 and/or memory map 1510 anddetermine what attempted access of memory 1503 or storage 1544 and/oruse of processor 1502 will be trapped. Below-O/S security agent 1520 maybe configured to set flags in a control structure corresponding to theactions that are to be trapped.

In one embodiment, entities such as application 1526 or driver 1528 mayattempt to access portions of memory 1503 associated with loading codeinto memory 1503 through a memory page, wherein memory 1503 has beenvirtualized by operating system 1512. In such an embodiment, below-O/Ssecurity agent 1520 may be configured to trap attempted access orexecution of memory 1503 on a memory page basis. In another embodiment,application 1526 or driver 1528 may attempt to access physical portionsof memory 1503 associated with loading code into memory In such anembodiment, below-O/S security agent 1520 may be configured to trapattempted access or execution of memory 1503 on a memory address basis.

Memory 1503 may contain one or more contents or locations associatedwith actions for loading code into memory 1503. Below-O/S security agent1520 may be configured to trap access to any such contents or locations.The following are given as illustrative examples. Memory 1503 maycontain pages or ranges of addresses for hosting a page table directory1530, which may contain permissions 1532 for other pages or addressranges within memory 1503. For example, permissions 1532 may containsettings for a combination of permissions to read, write, and/or executethe contents at memory locations (A), (B), (C), (D), and (E). Memory1503 may contain an empty space 1534 at location (A) which may beallocated by, for example, application 1526 or driver 1528. Memory 1503may contain code sections of entities or functions of electronic device1501, such as driver code section 1536 at memory location (E). Memory1503 may contain sections or ranges of memory that are unallocated, asfar as operating system 1512 is concerned, to any entity, such asunallocated space 1538 at memory location (B). Memory 1503 may containsections or ranges of memory for drivers whose malware status, eithersafe or malicious, are unknown, such as space for untrusted driver 1540at memory location (C). Memory 1503 may contain sections or ranges ofmemory with non-present content 1542. Such non-present content 1542 inmemory 1503 may include, for example, memory pages whose content hasbeen swapped to disk and may reside, for example in swapped content 1548in one or more swapped files 1546 on storage 1544.

Storage 1544 may contain one or more contents or locations associatedwith actions for loading code into memory 1503. Below-O/S security agent1520 may be configured to trap access to any such contents or locations.The following are given as illustrative examples. Storage 1544 maycontain swap files 1546 in which swapped content 1548 may be stored.Swapped content 1548 may appear to entities of electronic device 1501 tobe present within memory 1503, but is actually stored in storage 1544.Storage 1544 may contain sections or addresses storing an applicationimage 1550. Application image 1550 may include the image of anapplication, driver, DLL, or other entity for execution on electronicdevice 1501 such as application 1526 or driver 1528.

Below-O/S security agent 1520 and/or in-O/S security agent 1519 may beconfigured to scan portions of memory 1503 and/or storage 1544 formalware. Such scanning may include computing digital signatures,checksums, or hashes of contents within memory 1503 and/or storage 1544to determine whether the contents are the same as contents determined tobe malicious as defined by security rules 1508, 1521. However, somemalware may attempt to attack electronic device 1501 by inserting itselfor other malicious code into memory 1503 to be executed. By trappingattempts to load code into memory 1503, below-O/S security agent 1520may be configured to trap, scan, or secure code that is not initiallyplaced within, for example, a driver file, image in memory, or othernormative method of storing code. By not initially placing such codewithin a driver file, image in memory or other normative method ofstoring code, malware may attempt to avoid the efforts previouslydescribed of below-O/S security agent 1520 and/or in-O/S security agent1519 to scan portions of memory 1503 and/or storage 1544 for malware.Further, irregular methods of injecting code into memory 1503 may be anindication that the entity attempting such an injection is malicious,whether or not the content injected or the entity attempting theinjection is already known as malicious.

Below-O/S security agent 1520 may be configured to determine safe ornormative methods for loading code into memory 1503, such as use of anoperating system loader. Such safe or normative methods may bebenchmarked or mapped such that the logic or steps taken by operatingsystem 1512 may be known. Upon trapping an attempt to load code intomemory 1503, below-O/S security agent 1520 may determine whether such anattempt matches known methods for loading code. For example, if theattempt involved loading code into an already allocated portion ofmemory, and attempted to do so through bypassing the operating systemloader with a direct write to memory, the attempt may be determined tobe malicious.

To stop malware from injecting code into memory 1503 for execution byprocessor 1502, below-O/S security agent 1520 may be configured to trapone or more attempted steps required to inject code that avoid normalmethods of loading code into memory 1503 for execution. Such normalmethods of loading code into memory 1503 for execution may include, forexample, using an operating system loader of operating system 1512 toread an image of an application, driver, or other entity to be executedfrom, for example, storage 1544, place code from such an image intomemory 1503, and then execute the code that has been loaded. Below-O/Ssecurity agent 1520 may be configured to trap attempts to load code forexecution that, for example, avoid use of the operating system loaderand/or conduct any of these steps in an irregular manner. Such irregularmethods may be defined by security rules 1508. Such irregular methodsmay include trapping any attempted loading of code that is notoriginally read from file in an authorized application image 1550 orplaced into an equivalent application image in memory 1503.

In one embodiment, below-O/S security agent 1520 may be configured totrap an attempted writing of code into memory 1503 and an attemptedsubsequent execution of the code. For example, below-O/S security agent1520 may be configured to trap an attempted write at address (A), whichmay be part of a newly allocated space 1534. Such an attempted write mayitself not indicate malware, so the attempt may be recorded and used forfuture reference. The contents written may be scanned, recorded, orotherwise evaluated. Below-O/S security agent 1520 may be configured totrap a subsequent attempted execution of the code written to address(A). Below-O/S security agent 1520 may be configured to determine thatbecause an attempted execution of contents followed a previously trappedloading of the contents, the loading of the contents comprises loadingcode into memory 1503. Below-O/S security agent 1520 may be configuredto determine from contextual information, such as the source of theattempts, the targets of the attempts, the content loaded, informationfrom in-O/S security agent 1519, or any other suitable information,whether or not the loading of code indicates malware. For example, upondetecting that code has been loaded into memory and execution attempted,below-O/S security agent 1520 may be configured to scan the contentsthat were loaded and determine whether the code is known to be malware.In another example, upon detecting the loading and attempted executionof the code, below-O/S security agent 1520 may be configured todetermine if the code was loaded using normal functions of the operatingsystem 1512, such as the operating system loader. If the code was loadedusing other, nonstandard methods, such as a direct write from an unknowndriver, then below-O/S security agent 1520 may be configured todetermine that the attempted loading of code is suspicious and block theexecution of the code. Other examples of the methods by which below-O/Ssecurity agent 1520 may trap attempted loading and execution of code inmemory 1603, and by which below-O/S security agent 1520 may determinethat such attempts are suspicious or malicious, are described below.

In one embodiment, below-O/S security agent 1520 may be configured totrap the attempted reading of an application image 1550 from storage1544, and a subsequent writing of the contents to a new section ofmemory 1503 such as portion 1534, and a subsequent execution. Below-O/Ssecurity agent 1520 may be configured to compare the image as it resideson disk versus the image as it resides in memory. If the two images aredifferent, such as signatures of code sections, or a file layout, thensuch differences may indicate that code has been injected into the imageas it resides in memory 1503. Such an injection may be determined to bemalicious. However, below-O/S security agent 1520 may not trap anattempted reading of an application image 1550 from disk, and thusbelow-O/S security agent 1520 may not be able to compare the imageagainst that which is loaded in memory 1503.

FIG. 16 is an example illustration of how such injected code may begathered by an application and placed inside memory 1503 for execution.Application 1602 may be implemented by the application 1526 or driver1528 of FIG. 15. Below-O/S security agent 1620 may be implemented by thebelow-O/S security agent 1520 of FIG. 15. Memory 1603 may be implementedby the memory 1503 of FIG. 15. Memory 1603 may include memory spaces forapplication 1630 and driver 1632. Each memory space 1630, 1632 mayinclude space for code sections 1638, 1640 for their respectiveentities. Application 1602 may download code from a malware server 1604.Malware server 1604 may be a website, another electronic device on anetwork, or any other entity communicatively coupled to application1602. Application 1602 may write such code into the code sections 1638,1640 of application 1630 itself, or into another entity such as driver1632. Below-O/S security agent 1620 may be configured to intercept andevaluate such an attempt according to the various teachings givenherein. For example, below-O/S security agent 1620 may be configured totrap the attempted write and execution, evaluate the contents of thewrite attempt, evaluate the identity of application 1602, and evaluatethe target memory locations.

FIGS. 17 a and 17 b illustrate another example of how injected code maybe gathered by an application to place inside memory 1503. Application11702 and Application2 1704 may be implemented by the application 1526 ordriver 1528 of FIG. 15, or by other similar entities. Below-O/S securityagent 1720 may be implemented by the below-O/S security agent 1520 ofFIG. 15. Memory 1703 may be implemented by the memory 1503 of FIG. 15.Disk 1744 may be implemented by the storage 1544 of FIG. 15.

FIG. 17 a shows an example illustration of the loading of an image 1752of an application such as Application1 from disk 1744 to memory 1703. Anoperating system loader may be configured to read the disk image 1750 ofApplication1 1750 and write it to an image 1734 of Application1 inmemory 1703. Disk image 1750 of Application1 may include encryptedcontent 1752, which may be copied and remain in the image 1734 ofApplication1 in memory 1703 as encrypted content 1736. Below-O/Ssecurity agent 1720 may trap the attempted reads and writes called bythe operating system loader. However, in one embodiment the below-O/Ssecurity agent 1720 may have no reason to suspect any maliciousactivities are involved in the loading of the image, since the twoimages will not differ, and the action was conducted by normalmechanisms of the operating system.

FIG. 17 b shows an example illustration of possible actions conductedafter the image of the application is loaded in memory. Application21704 may be operating on an electronic device. Application1 1702 may beoperating on the electronic device and may send an instruction todecrypt encrypted content 1736. Such a command may result in theencrypted content 1736 being decrypted and decrypted content 1738 abeing written in the memory space of the image 1734 of Application1,and/or being written in the memory space of the image 1740 ofApplication2 as decrypted content 1738 b. Thus, Application1 1702 mayattempt to inject code into its own code section or into the codesection of another entity. Application1 1702 may write the decryptedcontent 1738 a in place over the previous encrypted content 1736 or intoanother memory portion of the image 1734 of Application1. The code fromdecrypted content 1738 may be malicious. Thus, below-O/S security agent1720 may be configured to trap and evaluate the attempted writing andexecution of code such as decrypted content 1738 according to thevarious teachings given herein. For example, below-O/S security agent1720 may be configured to intercept the attempted write and execution,evaluate the contents of the write attempt, evaluate the identity ofapplication 1602, and evaluate the target memory locations.

Returning to FIG. 15, below-O/S security agent 1520 may determine thelayout of portions of memory 1503, including the location of knownentities of electronic device 1501. In one embodiment, such a layout mayinclude a layout of the kernel virtual memory as it contains kernelimages of operating system 1512 and its components, as well as trusteddrivers (and their code and data sections) and other drivers (and theircode and data sections). Such a layout may be stored in memory map 1510.Below-O/S security agent 1520 may determine such a layout from securityrules 1508 or a protection server, by profiling the startup andoperation of operating system 1512, by verifying the components ofoperating system 1512 and trusted drivers by scanning or verifyingdigital certificates, or any other suitable methods. Below-O/S securityagent 1520 may also determine which portions of memory 1503 are notallocated to any of the entities of electronic device 1501. Mappings ofkernel memory to physical memory may be contained in memory map 1510,describing associated physical memory addresses for a given page inkernel memory. Memory map 1510 may also contain descriptions of whatportions of memory have been allocated, not allocated, are associatedwith non-present contents, or swap files. Operating system 1512 may haveinformation in a database, such as a Page Frame Number Database (“Pfn”),describing virtual pages managed by the operating system 1512. Traversalof such a database may be used to determine memory pages that areallocated, mapped, contain non-present contents, etc.

Once the layout of memory 1503 is known, below-O/S security agent 1520may be configured to monitor the allocation and execution of memory inunallocated areas. Below-O/S security agent 1520 may be configured totrap such attempted operations and scan the content to be written. Thesteps for such operations may include an entity allocating portions ofmemory 1503 with write permissions enabled, writing new content to theportions of memory 1503, changing the permissions of the portion ofmemory 1503 to enable execution, and calling the portion of memory 1503for execution. Below-O/S security agent 1520 may be configured to trapthese steps and stop the attempted execution before determining whetherthe steps are indicative of malware. For example, below-O/S securityagent 1520 may be configured to trap an attempted allocation of anunallocated portion 1534 of memory 1503 at location (A), an attempt towrite contents to the portion 1534, a write to permissions 1532 of pagetable directory 1530 to change the permission of location (A) from“write” to “write/execute,” and an attempted execution of the permissionat location (A). Below-O/S security agent 1520 may be configured to trapany suitable function for allocating memory, such as the Windows™functions:

-   -   MmAllocateContiguousMemory    -   MmAllocateContiguousMemorySpecifyCache    -   MmAllocateSpecialPool    -   MmAllocateContiguousMemorySpecifyCacheNode    -   MmAllocateIndependentPages    -   MmAllocateMappingAddress    -   MmAllocateNonCachedMemory    -   MmAllocatePagesForMdl or    -   MmAllocatePagesForMdlEx        Below-O/S security agent 1520 may be configured to trap the        execution of the pages in memory 1503 or the execution of the        physical addresses in memory 1503 corresponding to these        functions to trap the attempted allocation of memory. Below-O/S        security agent 1520 determines the caller of the functions and        scans the contents of the caller for known malware. If, for        example, the attempt to allocate was made with a subfunction of        a known, secured allocation function, then such an attempt may        be indicative of malware attempting to circumvent security        associated with the function. Below-O/S security agent 1520 may        be configured to add the allocated memory portion to memory map        1510 for future reference. Below-O/S security agent 1520 may be        configured to record the attempted memory allocation, along with        contextual information such as the caller.

Below-O/S security agent 1520 may be configured to trap any suitablefunction or method for writing code to memory. Entities such asapplication 1526 or driver 1528 may use functions or methods provided byoperating system 1512 to enter code into memory 1503. However, theseentities may write directly to memory in an attempt to avoid detection.Thus, if below-O/S security agent 1520 traps an attempt to enter code inmemory 1503, wherein the attempt was made without using such designatedfunctions, below-O/S security agent 1520 may be configured to determinethat the attempt to load code into memory 1503 is suspicious.

Below-O/S security agent 1520 may be configured to trap any suitablefunction or method for changing the permission of a memory location. Forexample, to change a memory page permission, one of the followingWindows™ functions may be called:

-   -   MmProtectMdlSystemAddress    -   NtProtectVirtualMemory    -   MiGetPageProtection    -   MiQueryAddressState    -   MiSetProtectionOnSection    -   MiGetpageProtection    -   MiProtectPrivateMemory        Thus below-O/S security agent 1520 may be configured to trap the        execution of any of these functions by monitoring for an        execution of their location in memory. The below-O/S security        agent 1520 may be configured to trap any attempted write to page        table directory 1530 and its permissions 1532 contained therein.        If an attempted write to permissions 1532 is trapped, while an        execution of an approved function for changing permissions 1532        (such as those listed above) is not trapped, then below-O/S        security agent 1520 may be configured to determine that the        attempt to write is indicative of malware. Such an attempt may        be the result of malware directly editing an entry in the page        table directory for permissions for a memory location (e.g.        “read” to “write” or to “execute”), such that the corresponding        location may be written to with malicious content or executed        without incurring security associated with operating system 1512        functions.

If an attempted write to memory followed by an attempted execution istrapped, and below-O/S security agent 1520 determines that such anattempt has been made on unallocated portions of memory, such as theunallocated memory portion 1538 at location (B), then below-O/S securityagent 1520 may be configured to determine that such an attempt ismalicious. Below-O/S security agent 1520 may be configured to determinewhether the attempt to write and execute contents has been made tounallocated space such as unallocated portion 1538 at location (B).Below-O/S security agent 1520 may be configured to make such adetermination by accessing memory map 1510 or referencing previouslytrapped executions of allocation functions. In one embodiment, if theattempted write and execution are made in memory 1503 determined to beunallocated, malware may have allocated the memory without the use ofthe routines defined by the operating system 1512. In such anembodiment, below-O/S security agent 1520 may determine that the attemptis a malicious attempt to load code into memory 1503 for execution. Inanother embodiment, if the attempted write and execution are made inmemory 1503 already allocated to an entity of electronic device 1501 asshown in memory map 1510, then below-O/S security agent 1520 may beconfigured to examine whether the caller of the instructions haspermission or is authorized to write code into another entity. If not,then such an attempt may be indicative of malware attempting to injectcode into a portion of memory 1503 belonging to another function, whichmay be malicious.

Below-O/S security agent 1520 may be configured to trap any attemptedwrites, reads, or executes in portions of memory 1503 designated asunallocated, such as portion 1538 at location (B), or attempts to changethe permissions of unallocated portions 1538 in permissions 1532. Anysuch attempts arising from entities other than authorized allocationfunctions, called in turn by authorized entities of operating system1512, may be determined to be malicious regardless of whether themalware status of the caller is unknown. If the memory locationexperiences an attempted write, then it may be determined that theattempt is an indication of code being loaded in memory. If the memorylocation experiences an attempted execution, then it may be determinedthat the attempt is an indication of newly loaded code being executed.

Below-O/S security agent 1520 may be configured to trap any attemptedwrites or executions by an untrusted driver 1540 or a change inpermissions 1532 for the memory location (C) associated with theuntrusted driver 1540. Untrusted driver 1540 may include a driver whosemalware status is unknown. There may be no entries in either a blacklistor whitelist for a signature or hash of untrusted driver 1540. Untrusteddriver 1540 may be a safe, new driver not encountered by system 1500 orsimilar systems, or untrusted driver 1540 may be a permutation ofmalware not encountered by system 1500. Once an attempted write orexecution of untrusted driver 1540 is trapped, below-O/S security agent1520 may be configured to apply additional security rules 1508 toevaluate such trapped operations. In particular, attempts to write andsubsequently execute code may be trapped and closely examined bybelow-O/S security agent 1520 to determine whether such operations areattempted upon known elements, such as kernel modules of operatingsystem 1512 or known drivers. If so, such attempts may be blocked andthe untrusted driver 1540 determined to be malware.

Below-O/S security agent 1520 may be configured to trap attempted writesor execution of portions of memory 1503 that have non-present content,such as portion 1542 at address (D). Portion 1542 of memory 1503 may beallocated in terms of virtual memory allocation, but the contents ofportion 1542 may not be actually present in the physical memory ofmemory 1503. Instead, contents of such portion 1542 may be presentelsewhere, such as in storage 1544. The non-present content may residein storage 1544 in a swap file 1546 containing swapped content 1548 aspart of a page swap operation, wherein contents of a virtualized memory1503 are moved to disk to make room for other elements in the physicalmemory of memory 1503. Operating system 1512 may be configured toconduct such swapping operations and may be configured to reload theswapped content 1548 into physical memory when it is needed. Thus, whileportion 1542 contains non-present content, attempted writes to orexecutions of portion 1542 may be trapped by below-O/S security agent1520. If such an attempted write originated from an entity other thanoperating system 1512 conducting a page swap, then the write may bemalicious. For example, attempted writes to portion 1542 not originatingfrom a virtual memory manager of operating system 1512 may be denied.Further, if an attempted execution of portion 1542 is made while itscontents are non-present, then such an attempted execution may bemalicious.

Furthermore, an attempted access such as a write to the swapped content1548 of swapped file 1546 on storage 1544 may be trapped by below-O/Ssecurity agent 1520. If such an attempted access originated from anentity other than an authorized entity, then the write may be malicious.For example, attempted writes to swapped content 1548 not originatingfrom a virtual memory manager of operating system 1512 may be denied anddetermined to be indicative of malware. Such trapping may be made, forexample, by trapping disk write functions or by trapping input/outputcommands in storage 1544. Such trapping of input/output commands instorage 1544 may be accomplished, for example, by a firmware securityagent running on storage 1544.

FIG. 18 illustrates an additional example of malicious attacks onswapped content to inject code. Kernel virtual memory 1804 may representportions of memory 1503 as they have been virtualized. The contents ofkernel virtual memory 1804 may be mapped to the locations where theyreside. Such contents may be mapped, for example, to physical memory1802 and/or disk 1844. Physical memory 1802 may illustrate a physicallayout of memory 1503 as it physically resides in electronic device1501. Disk 1844 may be implemented by storage 1544 of FIG. 15. Someportions 1806, 1810, 1814, 1818 of kernel virtual memory 1804 may beunallocated, and available to a user of virtual memory. Other portionsof kernel virtual memory 1804 may include portions for the operatingsystem kernel 1808 and drivers such as driver1 1812, driver2 1816, anddriver3 1820. The portions of allocated memory in kernel virtual memory1804 may map to various noncontiguous parts of physical memory 1802and/or disk 1844. Example pages included in driver3 1820 are shown,including pages 1822, 1824, and 1826. Page 1826, corresponding todriver3 page 0, may be mapped to a swap file 1850 on disk 1844. Page1824, corresponding to driver3 page 1, may be mapped to an address inphysical memory 1802 at address (A) and continuing on to address (B).Page 1822, corresponding to driver 3 page 2, may be mapped to a swapfile 1848 in disk 1844.

When a swap file operation is conducted, the contents of driver3 page 0,which may be “XYZ” may be written to swap file 1850. The contents ofdriver 3 page 0 may thus be non-present. In the meantime, malware 1852may rewrite the contents of swap file 1850 to “PDQ.” Thus, when the swapfile operation is reversed and the contents are read from the disk 1844and swap file 1850, the new code will be loaded into kernel virtualmemory 1804. Also possible may be the action of malware 1852 to writevalues directly in to physical memory 1802 for other pages, such as page1824.

Returning to FIG. 15, below-O/S security agent 1520 may be configured toprevent loading code into swap files 1546 associated with pages withnon-present content 1542. Below-O/S security agent 1520 may beconfigured to trap attempted write operations to swap files 1546 frommemory 1503 or vice-versa, and determine a snapshot, signature,cryptographic hash, checksums or other indication of the contents.Below-O/S security agent 1520 may be configured to trap such an attemptby setting flags corresponding to locations on storage 1544 or uponfunctions or routines for swapping memory pages. Below-O/S securityagent 1520 may be configured to trap attempted read operations from swapfiles 1546 and/or writes back to memory portions for non-present content1542. Below-O/S security agent 1520 may be configured to trap attemptedexecution of swap functions to accomplish such tasks. Such functions mayinclude or call, for example, IoPageRead( ) IoAsynchronousPageWrite( )or IoAsynchronousPageWrite( ). Below-O/S security agent 1520 may beconfigured to determine a snapshot, signature, cryptographic hash,checksums, or other indication of the contents being read from swap file1546 and/or being written to non-present content 1542 and determinewhether the contents have been changed. If so, below-O/S security agent1520 may be configured to determine that the contents of the swap file1546 have been injected with code. Below-O/S security agent 1520 may beconfigured to block the execution of the new content or take any othercorrective measure.

Below-O/S security agent 1520 may be configured to determine that aparticular write to memory 1503 is a loading of code by trapping asubsequent attempt to change permissions 1532 for the memory location ofthe contents to give execution permissions. Furthermore, below-O/Ssecurity agent 1520 may be configured to determine the entity writing tomemory 1503 and subsequently attempting to write to permissions 1532 toallow the memory to be executed. Such an entity may typically be aknown, trusted entity such as an operating system loader. Thus,below-O/S security agent 1520 may be configured to determine whether anattempt to lode code into memory 1503 was generated by a known, trustedentity such as an operating system loader. If not, then below-O/Ssecurity agent 1520 may be configured to deny such an attempt anddetermine that the attempt and/or the entity is indicative of malware.

Below-O/S security agent 1520 may be configured to trap an attempt tocopy legitimate function code from memory 1503, copy the function codeto a new location such as a newly allocated portion 1534, and thenexecute the copied code. Such an attempt may be an attempt by malware torun a system function without having to gain authorization from, forexample, operating system 1512 or a driver owning the function.

When trapping an attempted operation, below-O/S security agent 1520 maybe configured to identify the caller of the operation, based uponcontextual information from in-O/S security agent 1519, calling stacksof drivers, and/or memory map 1510. Using security rules 1508, includingbehavioral rules, whitelists or blacklists, below-O/S security agent1520 may be configured to determine whether the caller is known to bemalicious. If such a malicious status is unknown, then below-O/Ssecurity agent 1520 may be configured to allow a write operation tocontinue. However, below-O/S security agent 1520 may be configured tohalt a subsequent execution attempt. Some operations may involvemultiple attempted writes to fully load injected code. Below-O/Ssecurity agent 1520 may allow such writes before halting execution tofully determine and characterize the code that is injected.

As memory 1503 is allocated, deallocated, or written to by trusted oruntrusted entities, below-O/S security agent 1520 may be configured torecord such information in memory map 1510. Below-O/S security agent1520 may mark portions of memory 1503 susceptible to code injectionattacks without permission to execute. An attempted execution of suchportions of memory 1503 may cause a trapped operation. Below-O/Ssecurity agent 1520 may be configured to locate the portion of memory inmemory map 1510 associated with the attempted execution and determinethe associated entity. Below-O/S security agent 1520 may scan the codebytes for indications of known malware or evaluate the possiblymalicious behavior observed in writing the code.

If an attempted loading of code and subsequent attempted execution isdetermined to be suspicious or otherwise indicative of malware,below-O/S security agent 1520 may be configured to take an suitablecorrective action. In one embodiment, below-O/S security agent 1520 maybe configured to fill the written code with dummy information, such as“NOOP” instructions or other patterns. In addition, the memory locationsof the entity that made the attempts may be filled with dummyinformation. In another embodiment, below-O/S security agent 1520 may beconfigured to pass execution on to a remediation engine to clean andquarantine the source and target of the attempts. In yet anotherembodiment, below-O/S security agent 1520 may be configured to mark thememory locations of the caller and the target with permissions 1532disallowing read, write, or execution. Similarly, below-O/S securityagent 1520 may be configured to trap any subsequent attempted read,write, or execute of the memory locations of the caller or target of theattempts. The memory locations associated with the attempts may bemarked as malicious in memory map 1510.

FIG. 19 is an example embodiment of a memory map 1900, such as memorymap 1510 in FIG. 15 after a portion of memory has been determined to bemalicious. Portions 1902, 1907, 1910, 1914, 1918, 1922 of memory map1900 may be shown as unallocated. The memory map may show locations foroperating system kernel 1904, Driver1 1908, Driver2 1912, and Driver31916. A portion of memory determined to be associated with a maliciousattempt to inject and execute code may be designated as malware 1920.Permissions denying read, write, and execution of the malware section1920 may be set. Malware section 1920 may reflect, for example, portionsof memory into which code was injected or portions of memory from wherean injection attempt was made. Subsequently, an attempted access ofmalware section 1920 from an unknown section 1924 may be trapped by abelow-O/S security agent, such as the below-O/S security agent 1520 ofFIG. 15. Such a below-O/S security agent may be configured to set flagsfor trapping access to portions of memory 1503 corresponding to malwaresection 1920. For example, an attempt to read code previously written tosection 1920 may be made by the unknown section 1924. In anotherexample, an attempt to execute code previously written to section 1920may be made by the unknown section 1924. A below-O/S security agent maybe configured to determine that any such attempted access of memorydesignated as malware is itself malicious. Thus, a below-O/S securityagent may block the attempt and redesignate the previously unknownsection 1924 as a malware section 1924. The below-O/S security agent maybe configured to take corrective actions on the newly designated malwaresection 1924, such as filling it with dummy data, passing it to aprocess for cleaning and quarantining it, marking the malware section1924 with permissions to deny read, write, or execute access, and/ortrapping subsequent access to malware section 1924.

FIG. 20 is an example embodiment of a method 2000 forbelow-operating-system trapping of loading and executing code in memoryin an electronic device. In step 2005, security rules may be accessed todetermine resources associated with loading and executing code inmemory. Such security rules may identify the resources, as well ascriteria by which attempted access to the resources will be trapped andevaluated.

In step 2010, flags may be set in a control structure below the level ofoperating systems within the electronic device. Flags may be set, forexample, for trapping the attempted injecting of code and subsequentexecution. Flags may be set for virtual memory access through memorypages and/or through physical memory access through memory addressescorresponding to the attempts described above.

In step 2015, the electronic device may be monitored for trappedattempts to access the resources associated with the injection of codeinto memory. In step 2020, if no attempts have been trapped then theprocess 2000 may proceed to step 2015 to continue monitoring for trappedattempts. If an attempt has been trapped, then the attempt may behandled beginning in step 2025. Such handling may be conducted below thelevel of operating systems of the electronic device. In step 2025,information useful for analyzing whether the attempt may be maliciousmay be gathered. For example, the process, application, driver, orroutine making the attempt may be determined, as well as the target ofthe attempt. Contextual information from inside the operating system ofthe electronic device may be obtained from an in-O/S security agent. Ifan attempt to inject code was made, then the image of the caller may bescanned.

In step 2030, it may be determined whether the entity making the load orinjection attempt is known to be unauthorized to make such an attempt.If so, then in step 2065, the attempt may be denied and any suitablecorrective action taken. In not, meaning that the malware status of theentity may yet be unknown, then in step 2035 the load attempt may beallowed, and it may be determined whether the load attempt ispotentially suspicious, depending upon the circumstances of subsequentattempted execution. If the load attempt is not potentially suspicious,then the method may proceed to step 2015 to continue monitoring theelectronic device.

If the load attempt is still potentially suspicious, then in step 2045the electronic device may be monitored for a subsequent executionattempt of the code that was written. If no attempts have been trappedthen the process 2000 may repeat step 2045 or proceed to step 2015 inparallel to continue monitoring for trapped attempts. If an executionattempt has been trapped, then the attempt may be handled beginning instep 2050. Such handling may be conducted below the level of operatingsystems of the electronic device. In step 2050, information useful foranalyzing whether the execution attempt in combination with the loadattempt may be malicious may be gathered. For example, the process,application, driver, or routine making the attempt may be determined, aswell as the target of the attempt. Contextual information from insidethe operating system of the electronic device may be obtained from anin-O/S security agent. The image of the caller of the execute attemptmay be scanned for indications of malware.

In step 2055, it may be determined whether or not the attemptedexecution in combination with the attempted load indicates malware. Ifso, then in step 2065 the attempt may be denied and any suitablecorrective action taken. If not, then in step 2060 the execution andload attempts may be allowed, and the method 2000 may continue to step2015 to optionally continue monitoring the electronic device.

Methods 300, 600, 800, 1100, 1400 and 2000 may be implemented using anyof the systems of FIGS. 1-2, 4-5, 7, 9, 10, 12-13, 15-19 or any othersystem operable to implement methods 300, 600, 800, 1000, 1400 and 2000.As such, the preferred initialization point for methods 300, 600, 800,1100, 1400, and 2000 and the order of their respective steps may dependon the implementation chosen. In some embodiments, some steps may beoptionally omitted, repeated, or combined. In some embodiments, somesteps of one or more of methods 300, 600, 800, 1100, 1400, and 2000 maybe executed in parallel with other steps of the methods. In certainembodiments, methods 300, 600, 800, 1100, 1400 and 2000 may beimplemented partially or fully in software embodied in computer-readablemedia.

For the purposes of this disclosure, computer-readable media may includeany instrumentality or aggregation of instrumentalities that may retaindata and/or instructions for a period of time. Computer-readable mediamay include, without limitation, storage media such as a direct accessstorage device (e.g., a hard disk drive or floppy disk), a sequentialaccess storage device (e.g., a tape disk drive), compact disk, CD-ROM,DVD, random access memory (RAM), read-only memory (ROM), electricallyerasable programmable read-only memory (EEPROM), and/or flash memory; aswell as non-transitory communications media; and/or any combination ofthe foregoing.

Although the present disclosure has been described in detail, it shouldbe understood that various changes, substitutions, and alterations canbe made hereto without departing from the spirit and the scope of thedisclosure as defined by the appended claims.

1. A system for protecting an electronic device against malware,comprising: a memory; an operating system configured to execute on theelectronic device; a below-operating-system security agent configuredto: trap an attempted access of a resource of the electronic device, theattempted access comprising: attempting to write instructions to thememory; and attempting to execute the instructions; access one or moresecurity rules to determine whether the attempted access is indicativeof malware; and operate at a level below all of the operating systems ofthe electronic device accessing the memory.
 2. The system of claim 1,wherein trapping the attempted resource comprises further configuringthe below-operating-system security agent to trap an attempt to allocateportions of the memory with enabled write permissions.
 3. The system ofclaim 1, wherein trapping the attempted resource comprises furtherconfiguring the below-operating-system security agent to trap an attemptto change permissions of the memory in which instructions were written.4. The system of claim 1, wherein determining whether the attemptedaccess is indicative of malware comprises configuring thebelow-operating-system security agent to scan the instructions writtento memory.
 5. The system of claim 1, wherein determining whether theattempted access is indicative of malware comprises determining theidentify of an entity which made the attempted access.
 6. The system ofclaim 1, wherein trapping the attempted access comprises furtherconfiguring the below-operating-system security agent to trap anattempted access of a portion of the memory containing a memory pagedata structure entry for a driver, wherein the malware status of thedriver is unknown.
 7. The system of claim 1, wherein trapping theattempted access comprises further configuring thebelow-operating-system security agent to trap an attempted access of aportion of the memory containing an unallocated virtual page of kernelspace.
 8. The system of claim 1, wherein trapping the attempted accesscomprises further configuring the below-operating-system security agentto trap an attempted access of a portion of the memory containing anempty virtual page allocated by the operating system.
 9. The system ofclaim 1, wherein trapping the attempted access comprises furtherconfiguring the below-operating-system security agent to: comparecontents of a first memory page written to disk during a swap file writeto the contents of a second memory page after a swap file read, the swapfile read and swap file write corresponding to the same locationidentified by the operating system.
 10. The system of claim 1, whereinthe below-operating system security agent is configured to: allow theattempted writing of instructions; and halt the attempted execution. 11.A method for protecting an electronic device against malware,comprising: trapping an attempted access of a resource of an electronicdevice, the attempted access comprising: attempting to writeinstructions to a memory of the electronic device, the memory comprisingthe resource; and attempting to execute the instructions; accessing oneor more security rules to determine whether the attempted access isindicative of malware; wherein the trapping of the attempted access anddetermining whether the attempted access is indicative of malware isconducted at a level below all of the operating systems of theelectronic device accessing the memory.
 12. The method of claim 11,wherein trapping the attempted resource comprises trapping an attempt toallocate portions of the memory with enabled write permissions.
 13. Themethod of claim 11, wherein trapping the attempted resource comprisestrapping an attempt to change permissions of the memory in whichinstructions were written.
 14. The method of claim 11, whereindetermining whether the attempted access is indicative of malwarecomprises scanning the instructions written to memory.
 15. The method ofclaim 11, wherein determining whether the attempted access is indicativeof malware comprises determining the identify of an entity which madethe attempted access.
 16. The method of claim 11, wherein trapping theattempted access comprises trapping an attempted access of a portion ofthe memory containing a memory page data structure entry for a driver,wherein the malware status of the driver is unknown.
 17. The method ofclaim 11, wherein trapping the attempted access comprises trapping anattempted access of a portion of the memory containing an unallocatedvirtual page of kernel space.
 18. The method of claim 11, whereintrapping the attempted access comprises trapping an attempted access ofa portion of the memory containing an empty virtual page allocated bythe operating system.
 19. The method of claim 11, wherein trapping theattempted access comprises: comparing contents of a first memory pagewritten to disk during a swap file write to the contents of a secondmemory page after a swap file read, the swap file read and swap filewrite corresponding to the same location identified by the operatingsystem.
 20. The method of claim 11, further comprising: allowing theattempted writing of instructions; and halting the attempted execution.21. An article of manufacture, comprising: a computer readable medium;and computer-executable instructions carried on the computer readablemedium, the instructions readable by a processor, the instructions, whenread and executed, for causing the processor to: trap an attemptedaccess of a resource of an electronic device, the attempted accesscomprising: attempting to write instructions to a memory of theelectronic device, the memory comprising the resource; and attempting toexecute the instructions; access one or more security rules to determinewhether the attempted access is indicative of malware; wherein theprocessor is configured to conduct the trapping of the attempted accessand determining whether the attempted access is indicative of malware ata level below all of the operating systems of the electronic deviceaccessing the memory.
 22. The article of claim 21, wherein trapping theattempted resource comprises trapping an attempt to allocate portions ofthe memory with enabled write permissions.
 23. The article of claim 21,wherein trapping the attempted resource comprises trapping an attempt tochange permissions of the memory in which instructions were written. 24.The article of claim 21, wherein determining whether the attemptedaccess is indicative of malware comprises scanning the instructionswritten to memory.
 25. The article of claim 21, wherein determiningwhether the attempted access is indicative of malware comprisesdetermining the identify of an entity which made the attempted access.26. The article of claim 21, wherein trapping the attempted accesscomprises trapping an attempted access of a portion of the memorycontaining a memory page data structure entry for a driver, wherein themalware status of the driver is unknown.
 27. The article of claim 21,wherein trapping the attempted access comprises trapping an attemptedaccess of a portion of the memory containing an unallocated virtual pageof kernel space.
 28. The article of claim 21, wherein trapping theattempted access comprises trapping an attempted access of a portion ofthe memory containing an empty virtual page allocated by the operatingsystem.
 29. The article of claim 21, wherein trapping the attemptedaccess comprises: comparing contents of a first memory page written todisk during a swap file write to the contents of a second memory pageafter a swap file read, the swap file read and swap file writecorresponding to the same location identified by the operating system.30. The article of claim 21, wherein the processor is further caused to:allow the attempted writing of instructions; and halt the attemptedexecution.